cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 10 of 13
CVE-2026-25780P4MEDIUM≥ 0, < 5.3.2-0.20260123215601-86797c508c44≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-25780 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing DOC files Mattermost fails to bound memory allocation when processing DOC files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581
ghsaosv
CVE-2025-2527P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.5.0+incompatible, < 10.5.3+incompatible2025-05-23
CVE-2025-2527 Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
osv
CVE-2025-3228P4MEDIUM≥ 0, < 0.0.0-20250520060012-d0380305ef7a2025-06-20
CVE-2025-3228 [MEDIUM] CWE-863 Mattermost allows an unauthorized Guest user access to Playbook Mattermost allows an unauthorized Guest user access to Playbook Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.
ghsaosv
CVE-2025-1472P4MEDIUM≥ 9.11.0, < 9.11.92025-03-19
CVE-2025-1472 [MEDIUM] CWE-863 Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost Fails to Properly Perform Viewer Role Authorization Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
ghsaosv
CVE-2025-2424P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.5.0+incompatible, < 10.5.2+incompatible2025-04-22
CVE-2025-2424 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-47870P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-47870 [MEDIUM] CWE-306 Mattermost Does Not Sanitize the Team Invite ID Mattermost Does Not Sanitize the Team Invite ID Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
ghsaosv
CVE-2025-12559P4MEDIUM≥ 11.0.0, < 11.0.3≥ 10.12.0, < 10.12.2+2 more2025-11-27
CVE-2025-12559 [MEDIUM] CWE-200 Mattermost fails to sanitize team email addresses Mattermost fails to sanitize team email addresses Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
ghsaosv
CVE-2025-4128P4LOW≥ 10.5.0, < 10.5.5≥ 9.11.0, < 9.11.142025-06-11
CVE-2025-4128 [LOW] CWE-863 Mattermost allows guest users to view information about public teams they are not members of Mattermost allows guest users to view information about public teams they are not members of Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.
ghsaosv
CVE-2025-49810P4LOW≥ 10.5.0, < 10.5.92025-08-21
CVE-2025-49810 [LOW] CWE-863 Mattermost Lack of Access Control Validation Mattermost Lack of Access Control Validation Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
ghsaosv
CVE-2025-24839P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.4+incompatible+1 more2025-04-22
CVE-2025-24839 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-2571P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+2 more2025-06-03
CVE-2025-2571 Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
osv
CVE-2025-14350P4MEDIUM≥ 11.1.0≥ 10.11.0+2 more2026-02-16
CVE-2025-14350 [MEDIUM] CWE-862 Mattermost fails to properly validate team membership when processing channel mentions Mattermost fails to properly validate team membership when processing channel mentions Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the chann
ghsaosv
CVE-2025-11777P4LOW≥ 10.11.0, < 10.11.4≥ 10.5.0, < 10.5.12+1 more2025-11-13
CVE-2025-11777 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.
ghsaosv
CVE-2026-3495P4LOW≥ 0, < 5.3.2-0.20260310115442-5a1ea95044dc2026-05-18
CVE-2026-3495 [LOW] CWE-79 Mattermost doesn't escape some variables that could contain malicious content during error page composition Mattermost doesn't escape some variables that could contain malicious content during error page composition Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code v
ghsa
CVE-2025-9078P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-09-15
CVE-2025-9078 [MEDIUM] CWE-328 Mattermost makes Use of Weak Hash Mattermost makes Use of Weak Hash Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing.
ghsaosv
CVE-2017-18873P4MEDIUM≥ 0, < 4.1.2-0.20171013141717-ee57a5829ab1≥ 4.2.0, < 4.2.1-0.20171013140502-b3e4b0ac9168+1 more2022-05-24
CVE-2017-18873 [MEDIUM] CWE-20 Mattermost Server is vulnerable to channel invisibility DoS via misformatted post Mattermost Server is vulnerable to channel invisibility DoS via misformatted post An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformated post.
ghsaosv
CVE-2024-1953P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-1953 Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerabil
osv
CVE-2024-1887P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-1887 Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing fa
osv
CVE-2024-24776P4UNKNOWN≥ 9.0.0+incompatible, < 9.3.0+incompatible2024-06-05
CVE-2024-24776 Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerabi
osv
CVE-2025-24526P4UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.8+incompatible≥ 10.2.0-rc1+incompatible, < 10.2.3+incompatible+2 more2025-03-03
CVE-2025-24526 Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
osv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase