cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 2 of 13
CVE-2017-18886P3HIGH≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18886 [HIGH] CWE-732 Mattermost Server does not properly restrict use of slash commands Mattermost Server does not properly restrict use of slash commands An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
ghsaosv
CVE-2017-18885P3CRITICAL≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18885 [CRITICAL] CWE-269 Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.
ghsaosv
CVE-2026-5740P3HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-5740 [HIGH] CWE-789 Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service o
ghsa
CVE-2017-18883P3MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18883 [MEDIUM] CWE-331 Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
ghsaosv
CVE-2017-18911P3CRITICAL≥ 0, < 3.6.7-rc1≥ 3.7.0, < 3.7.5+1 more2022-05-24
CVE-2017-18911 [CRITICAL] CWE-295 Mattermost Server has X.509 Improper Certificate Validation Mattermost Server has X.509 Improper Certificate Validation An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.
ghsaosv
CVE-2026-6347P3HIGH≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-6347 [HIGH] CWE-200 Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the expo
ghsa
CVE-2024-40886P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-40886 Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2026-3473P3HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-3473 [HIGH] CWE-639 Mattermost doesn't validate file ownership and access control Mattermost doesn't validate file ownership and access control Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs. Mattermost Advisory ID: MMSA-2026-00620.
ghsa
CVE-2024-39832P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39832 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
osv
CVE-2017-18884P3CRITICAL≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18884 [CRITICAL] CWE-269 Mattermost Server exposes OAuth personal access tokens to attackers Mattermost Server exposes OAuth personal access tokens to attackers An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.
ghsaosv
CVE-2017-18906P3HIGH≥ 0, < 3.9.2-0.20170714134023-b17fca0d5ee7≥ 3.10.0, < 3.10.22022-05-24
CVE-2017-18906 [HIGH] CWE-613 Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.
ghsaosv
CVE-2026-24458P3HIGH≥ 0, < 5.3.2-0.20260129164748-7201f42d955f≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-24458 [HIGH] CWE-770 Mattermost fails to properly handle very long passwords Mattermost fails to properly handle very long passwords Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
ghsaosv
CVE-2016-11066P3HIGH≥ 0, < 3.1.12022-05-24
CVE-2016-11066 [HIGH] CWE-200 Mattermost Server: initial_load API exposes unnecessary information Mattermost Server: initial_load API exposes unnecessary information An issue was discovered in Mattermost Server before 3.1.1. The initial_load API disclosed unnecessary personal information.
ghsaosv
CVE-2024-8071P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-8071 Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server
osv
CVE-2026-5308P3HIGH≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-5308 [HIGH] CWE-400 Mattermost doesn't enforce request body size limits on plugin HTTP endpoints Mattermost doesn't enforce request body size limits on plugin HTTP endpoints Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646
ghsa
CVE-2024-41144P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-41144 Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
osv
CVE-2025-35965P3UNKNOWN≥ 9.11.0+incompatible≥ 10.4.0+incompatible+1 more2025-04-24
CVE-2025-35965 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks. NOTE: The source advisory for this report contains additional versions tha
osv
CVE-2025-9081P3LOW≥ 10.5.0-rc1, < 10.5.9≥ 9.11.0-rc1, < 9.11.182025-09-19
CVE-2025-9081 [LOW] CWE-639 Mattermost boards plugin fails to restrict download access to files Mattermost boards plugin fails to restrict download access to files Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
ghsaosv
CVE-2025-31363P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.4.0+incompatible, < 10.4.3+incompatible+1 more2025-04-22
CVE-2025-31363 Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server
osv
CVE-2017-18894P3HIGH≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18894 [HIGH] CWE-639 Mattermost Server has intermittent Authorization bypass for resource-owners Mattermost Server has intermittent Authorization bypass for resource-owners An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Resource-owner authorization can be intermittently bypassed, allowing account takeover.
ghsaosv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase