Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 11 of 13
CVE-2026-26246P4MEDIUM≥ 0, < 5.3.2-0.20260115183946-38b413a27604≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-26246 [MEDIUM] CWE-789 Mattermost fails to bound memory allocation when processing PSD image files
Mattermost fails to bound memory allocation when processing PSD image files
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00
ghsaosv
CVE-2026-2578P4MEDIUM≥ 0, < 5.3.2-0.20260127062706-c6b205f0d770≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2578 [MEDIUM] CWE-201 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579
ghsaosv
CVE-2025-27571P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.4+incompatible+1 more2025-04-22
CVE-2025-27571 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-24920P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-24920 Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
osv
CVE-2025-3227P4MEDIUM≥ 0, < 0.0.0-20250520060012-d0380305ef7a2025-06-20
CVE-2025-3227 [MEDIUM] CWE-863 Mattermost allows unauthorized channel member management through playbook runs
Mattermost allows unauthorized channel member management through playbook runs
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and pri
ghsaosv
CVE-2025-3446P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.4.0+incompatible, < 10.4.5+incompatible+2 more2025-05-23
CVE-2025-3446 Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
osv
CVE-2025-27933P4MEDIUM≥ 0, < 9.11.92025-03-21
CVE-2025-27933 [MEDIUM] CWE-863 Mattermost allows members with permission to convert public channels to private and convert private to public
Mattermost allows members with permission to convert public channels to private and convert private to public
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public.
ghsaosv
CVE-2026-21386P4MEDIUM≥ 0, < 5.3.2-0.20260130144323-5bb5261c72fa≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-21386 [MEDIUM] CWE-203 Mattermost fails to use consistent error responses when handling the /mute command
Mattermost fails to use consistent error responses when handling the /mute command
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent
ghsaosv
CVE-2026-6339P4MEDIUM≥ 0, < 5.3.2-0.20260327001745-7a339a6438f52026-05-18
CVE-2026-6339 [MEDIUM] CWE-346 Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image ta
ghsa
CVE-2017-18889P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18889 [MEDIUM] CWE-20 Mattermost Server is vulnerable to webhook and slash command manipulation
Mattermost Server is vulnerable to webhook and slash command manipulation
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.
ghsaosv
CVE-2024-4182P4MEDIUM≥ 8.1.0, < 8.1.12≥ 9.4.0, < 9.4.5+2 more2024-04-26
CVE-2024-4182 [MEDIUM] CWE-754 Mattermost crashes web clients via a malformed custom status
Mattermost crashes web clients via a malformed custom status
Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.
ghsaosv
CVE-2024-1952P4UNKNOWN≥ 9.0.0+incompatible, < 9.4.0+incompatible2024-06-05
CVE-2024-1952 Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server
Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server
Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server
osv
CVE-2024-1942P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible2024-06-28
CVE-2024-1942 Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server
Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped t
osv
CVE-2025-2564P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.4+incompatible+1 more2025-04-22
CVE-2025-2564 Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-64641P4MEDIUM≥ 10.11.0, < 10.11.8≥ 10.12.0, < 10.12.4+2 more2025-12-24
CVE-2025-64641 [MEDIUM] CWE-863 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Ji
ghsaosv
CVE-2017-18890P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18890 [MEDIUM] CWE-20 Mattermost Server allows attackers to create buttons that can launch API requests
Mattermost Server allows attackers to create buttons that can launch API requests
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.
ghsaosv
CVE-2016-11081P4MEDIUM≥ 0, < 2.2.02022-05-24
CVE-2016-11081 [MEDIUM] CWE-200 Mattermost Server exposes information stored by a web browser
Mattermost Server exposes information stored by a web browser
An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
ghsaosv
CVE-2024-1402P4UNKNOWN≥ 9.1.0+incompatible, < 9.1.5+incompatible≥ 9.2.0+incompatible, < 9.2.4+incompatible2024-06-28
CVE-2024-1402 Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server
Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to stan
osv
CVE-2023-48732P4UNKNOWN≥ 0, < 8.1.7+incompatible2024-06-28
CVE-2023-48732 Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server
Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server
Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that coul
osv
CVE-2024-1888P4UNKNOWN≥ 9.2.0+incompatible, < 9.2.5+incompatible≥ 9.3.0+incompatible, < 9.3.1+incompatible+1 more2024-06-28
CVE-2024-1888 Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server
Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports
osv