cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 11 of 13
CVE-2026-26246P4MEDIUM≥ 0, < 5.3.2-0.20260115183946-38b413a27604≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-26246 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing PSD image files Mattermost fails to bound memory allocation when processing PSD image files Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00
ghsaosv
CVE-2026-2578P4MEDIUM≥ 0, < 5.3.2-0.20260127062706-c6b205f0d770≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2578 [MEDIUM] CWE-201 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion Mattermost fails to preserve the redacted state of burn-on-read posts during deletion Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579
ghsaosv
CVE-2025-27571P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.4+incompatible+1 more2025-04-22
CVE-2025-27571 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-24920P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-24920 Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
osv
CVE-2025-3227P4MEDIUM≥ 0, < 0.0.0-20250520060012-d0380305ef7a2025-06-20
CVE-2025-3227 [MEDIUM] CWE-863 Mattermost allows unauthorized channel member management through playbook runs Mattermost allows unauthorized channel member management through playbook runs Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and pri
ghsaosv
CVE-2025-3446P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.4.0+incompatible, < 10.4.5+incompatible+2 more2025-05-23
CVE-2025-3446 Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
osv
CVE-2025-27933P4MEDIUM≥ 0, < 9.11.92025-03-21
CVE-2025-27933 [MEDIUM] CWE-863 Mattermost allows members with permission to convert public channels to private and convert private to public Mattermost allows members with permission to convert public channels to private and convert private to public Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public.
ghsaosv
CVE-2026-21386P4MEDIUM≥ 0, < 5.3.2-0.20260130144323-5bb5261c72fa≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-21386 [MEDIUM] CWE-203 Mattermost fails to use consistent error responses when handling the /mute command Mattermost fails to use consistent error responses when handling the /mute command Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent
ghsaosv
CVE-2026-6339P4MEDIUM≥ 0, < 5.3.2-0.20260327001745-7a339a6438f52026-05-18
CVE-2026-6339 [MEDIUM] CWE-346 Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image ta
ghsa
CVE-2017-18889P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18889 [MEDIUM] CWE-20 Mattermost Server is vulnerable to webhook and slash command manipulation Mattermost Server is vulnerable to webhook and slash command manipulation An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.
ghsaosv
CVE-2024-4182P4MEDIUM≥ 8.1.0, < 8.1.12≥ 9.4.0, < 9.4.5+2 more2024-04-26
CVE-2024-4182 [MEDIUM] CWE-754 Mattermost crashes web clients via a malformed custom status Mattermost crashes web clients via a malformed custom status Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.
ghsaosv
CVE-2024-1952P4UNKNOWN≥ 9.0.0+incompatible, < 9.4.0+incompatible2024-06-05
CVE-2024-1952 Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server
osv
CVE-2024-1942P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-1942 Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped t
osv
CVE-2025-2564P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.4+incompatible+1 more2025-04-22
CVE-2025-2564 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-64641P4MEDIUM≥ 10.11.0, < 10.11.8≥ 10.12.0, < 10.12.4+2 more2025-12-24
CVE-2025-64641 [MEDIUM] CWE-863 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Ji
ghsaosv
CVE-2017-18890P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18890 [MEDIUM] CWE-20 Mattermost Server allows attackers to create buttons that can launch API requests Mattermost Server allows attackers to create buttons that can launch API requests An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
ghsaosv
CVE-2016-11081P4MEDIUM≥ 0, < 2.2.02022-05-24
CVE-2016-11081 [MEDIUM] CWE-200 Mattermost Server exposes information stored by a web browser Mattermost Server exposes information stored by a web browser An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
ghsaosv
CVE-2024-1402P4UNKNOWN≥ 9.1.0+incompatible, < 9.1.5+incompatible≥ 9.2.0+incompatible, < 9.2.4+incompatible2024-06-28
CVE-2024-1402 Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to stan
osv
CVE-2023-48732P4UNKNOWN≥ 0, < 8.1.7+incompatible2024-06-28
CVE-2023-48732 Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that coul
osv
CVE-2024-1888P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-1888 Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports
osv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase