cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 13 of 13
CVE-2025-1792P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+1 more2025-06-03
CVE-2025-1792 Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
osv
CVE-2024-4195P4LOW≥ 9.5.0, < 9.5.3≥ 8.1.0, < 8.1.122024-04-26
CVE-2024-4195 [LOW] CWE-284 Mattermost allows team admins to promote guests to team admins Mattermost allows team admins to promote guests to team admins Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.
ghsaosv
CVE-2026-27769P4LOW≥ 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f92026-04-17
CVE-2026-27769 [LOW] CWE-862 Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Conn
ghsa
CVE-2025-14573P4LOW≥ 11.1.0≥ 10.11.0+2 more2026-02-16
CVE-2025-14573 [LOW] CWE-862 Mattermost fails to enforce invite permissions when updating team settings Mattermost fails to enforce invite permissions when updating team settings Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561
ghsaosv
CVE-2016-11077P4LOW≥ 0, < 3.0.02022-05-24
CVE-2016-11077 [LOW] CWE-732 Mattermost Server allows System Admin to modify LDAP account names and email addresses Mattermost Server allows System Admin to modify LDAP account names and email addresses An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.
ghsaosv
CVE-2025-2570P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.5.0+incompatible, < 10.5.3+incompatible2025-05-23
CVE-2025-2570 Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
osv
CVE-2024-1949P4UNKNOWN≥ 9.0.0+incompatible, < 9.4.2+incompatible2024-06-28
CVE-2024-1949 Mattermost race condition in github.com/mattermost/mattermost-server Mattermost race condition in github.com/mattermost/mattermost-server Mattermost race condition in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affect
osv
CVE-2025-27538P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.5.0+incompatible, < 10.5.2+incompatible2025-04-22
CVE-2025-27538 Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
osv
CVE-2024-40884P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.10.0+incompatible, < 9.10.1+incompatible2024-08-30
CVE-2024-40884 Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server
osv
CVE-2025-27715P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible2025-03-25
CVE-2025-27715 Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
osv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase