Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 1 of 13
CVE-2025-12419P2CRITICAL≥ 10.12.0, < 10.12.2≥ 10.11.0, < 10.11.5+2 more2025-11-27
CVE-2025-12419 [CRITICAL] CWE-287 Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication
Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account vi
ghsaosv
CVE-2025-12421P2CRITICAL≥ 11.0.0, < 11.0.3≥ 10.12.0, < 10.12.2+2 more2025-11-27
CVE-2025-12421 [CRITICAL] CWE-287 Mattermost fails to to verify the token used during code exchange
Mattermost fails to to verify the token used during code exchange
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authent
ghsaosv
CVE-2025-4981P2CRITICAL≥ 0, < 0.0.0-20250519205859-65aec10162f62025-06-20
CVE-2025-4981 [CRITICAL] CWE-427 Mattermost allows authenticated users to write files to arbitrary locations
Mattermost allows authenticated users to write files to arbitrary locations
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenam
ghsaosv
CVE-2025-25279P2UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.8+incompatible≥ 10.2.0-rc1+incompatible, < 10.2.3+incompatible+2 more2025-03-03
CVE-2025-25279 Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
osv
CVE-2026-4858P2HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-21
CVE-2026-4858 [HIGH] CWE-22 Mattermost has a Path Traversal issue
Mattermost has a Path Traversal issue
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL. Mattermost Advisory ID: MMSA-2026-00640.
ghsa
CVE-2024-39777P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-30
CVE-2024-39777 Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
osv
CVE-2025-25274P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-25274 Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
osv
CVE-2025-25068P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-25068 Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
osv
CVE-2017-18915P3CRITICAL≥ 0, < 3.6.7-0.20170420152529-0968e4079e0a≥ 3.7.0, < 3.7.5+1 more2022-05-24
CVE-2017-18915 [CRITICAL] CWE-20 Mattermost Server server restarts may provide attackers with API access
Mattermost Server server restarts may provide attackers with API access
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.
ghsaosv
CVE-2017-18888P3CRITICAL≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18888 [CRITICAL] CWE-89 Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests
Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
ghsaosv
CVE-2016-11074P3HIGH≥ 0, < 3.0.02022-05-24
CVE-2016-11074 [HIGH] CWE-287 Mattermost Server: Insufficient Password-Reset Link Invalidation
Mattermost Server: Insufficient Password-Reset Link Invalidation
An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.
ghsaosv
CVE-2025-58073P3HIGH≥ 10.11.0, < 10.11.2≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-58073 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
ghsaosv
CVE-2025-58075P3HIGH≥ 10.11.0, < 10.11.2≥ 10.10.0, < 10.10.3+1 more2025-10-16
CVE-2025-58075 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability
Mattermost has a Missing Authorization vulnerability
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.
ghsaosv
CVE-2026-6346P3HIGH≥ 0, < 5.3.2-0.20260326202606-fac92f4a71f32026-05-18
CVE-2026-6346 [HIGH] CWE-200 Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a suppo
ghsa
CVE-2017-18908P3CRITICAL≥ 0, < 3.9.1-rc1≥ 3.10.0, < 3.10.12022-05-24
CVE-2017-18908 [CRITICAL] CWE-287 Mattermost Server password reset email requests can be sent to attacker-provided email addresses
Mattermost Server password reset email requests can be sent to attacker-provided email addresses
An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.
ghsaosv
CVE-2025-9079P3HIGH≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-09-19
CVE-2025-9079 [HIGH] CWE-22 Mattermost Path Traversal vulnerability
Mattermost Path Traversal vulnerability
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
ghsaosv
CVE-2025-1412P3UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.7+incompatible≥ 10.4.0-rc1+incompatible, < 10.4.2+incompatible2025-03-03
CVE-2025-1412 Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
osv
CVE-2017-18900P3CRITICAL≥ 0, < 3.10.3≥ 4.0.0, < 4.0.32022-05-24
CVE-2017-18900 [CRITICAL] CWE-1236 Mattermost Server is vulnerable CSV Injection
Mattermost Server is vulnerable CSV Injection
An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.
ghsaosv
CVE-2017-18912P3HIGH≥ 0, < 3.7.4-0.20170404171331-0b5c0794fdcb2022-05-24
CVE-2017-18912 [HIGH] CWE-22 Mattermost Server allows an attacker to specify a full pathname of a log file
Mattermost Server allows an attacker to specify a full pathname of a log file
An issue was discovered in Mattermost Server before 3.7.5. It allows an attacker to specify a full pathname of a log file.
ghsaosv
CVE-2025-55070P3MEDIUM≥ 0, < 11.1.02025-11-14
CVE-2025-55070 [MEDIUM] CWE-306 Mattermost does not enforce MFA on WebSocket connections
Mattermost does not enforce MFA on WebSocket connections
Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.
ghsaosv
1 / 13Next →