cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 3 of 13
CVE-2025-20621P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.6+incompatible≥ 10.0.0+incompatible, < 10.0.4+incompatible+2 more2025-01-17
CVE-2025-20621 Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
osv
CVE-2025-9076P3MEDIUM≥ 10.10.0, < 10.10.22025-09-15
CVE-2025-9076 [MEDIUM] CWE-862 Mattermost Missing Authorization vulnerability Mattermost Missing Authorization vulnerability Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
ghsaosv
CVE-2026-5163P3MEDIUM≥ 0, < 5.3.2-0.20260401090745-f4d1abe7e8f52026-05-18
CVE-2026-5163 [MEDIUM] CWE-862 Mattermost doesn't verify channel membership when processing AI-assisted message rewrites Mattermost doesn't verify channel membership when processing AI-assisted message rewrites Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post r
ghsa
CVE-2025-20051P3UNKNOWN≥ 9.11.0-rc1+incompatible, < 9.11.8+incompatible≥ 10.2.0-rc1+incompatible, < 10.2.3+incompatible+2 more2025-03-03
CVE-2025-20051 Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
osv
CVE-2025-41395P3UNKNOWN≥ 9.11.0+incompatible≥ 10.4.0+incompatible+1 more2025-04-24
CVE-2025-41395 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks. NOTE: Th
osv
CVE-2024-39274P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39274 Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
osv
CVE-2026-6345P3MEDIUM≥ 0, < 5.3.2-0.20260311102650-3057ae7e83e92026-05-18
CVE-2026-6345 [MEDIUM] CWE-522 Mattermost doesn't prevent disclosure of created user password Mattermost doesn't prevent disclosure of created user password Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 doesn't prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
ghsa
CVE-2025-6226P3MEDIUM≥ 10.5.0, < 10.5.7≥ 10.8.0, < 10.8.2+2 more2025-07-18
CVE-2025-6226 [MEDIUM] CWE-306 Mattermost Missing Authentication for Critical Function Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
ghsaosv
CVE-2025-49222P3MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
ghsaosv
CVE-2026-2325P3MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-2325 [MEDIUM] CWE-770 Mattermost doesn't limit the size of the request body on the start meeting API endpoint Mattermost doesn't limit the size of the request body on the start meeting API endpoint Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/a
ghsa
CVE-2017-18909P3HIGH≥ 0, < 3.8.1-0.20170504181128-4f074fed0d652022-05-24
CVE-2017-18909 [HIGH] CWE-311 Mattermost Server SAML implementation does not require encryption or signature verification as default Mattermost Server SAML implementation does not require encryption or signature verification as default An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
ghsaosv
CVE-2024-4183P3MEDIUM≥ 9.6.0-rc1, < 9.6.1≥ 9.5.0, < 9.5.3+2 more2024-04-26
CVE-2024-4183 [MEDIUM] CWE-400 Mattermost fails to limit the number of active sessions Mattermost fails to limit the number of active sessions Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.
ghsaosv
CVE-2017-18903P3HIGH≥ 0, < 3.9.2≥ 3.10.0-rc1, < 3.10.22022-05-24
CVE-2017-18903 [HIGH] CWE-352 Mattermost Server vulnerable to CSRF if CORS is enabled Mattermost Server vulnerable to CSRF if CORS is enabled An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
ghsaosv
CVE-2025-14822P3LOW≥ 10.11.0, < 10.11.9≥ 11.0.0, < 11.2.02026-01-16
CVE-2025-14822 [LOW] CWE-407 Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Mattermost is vulnerable to CPU exhaustion via crafted HTTP request Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.
ghsaosv
CVE-2025-30179P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.9+incompatible≥ 10.3.0+incompatible, < 10.3.4+incompatible+2 more2025-03-25
CVE-2025-30179 Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
osv
CVE-2025-14435P3MEDIUM≥ 10.11.0, < 10.11.9≥ 11.1.0, < 11.1.2+1 more2026-01-16
CVE-2025-14435 [MEDIUM] CWE-770 Mattermost is vulnerable to DoS due to infinite re-renders on API errors Mattermost is vulnerable to DoS due to infinite re-renders on API errors Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
ghsaosv
CVE-2026-3590P3MEDIUM≥ 10.11.0-rc1, < 10.11.13≥ 11.5.0-rc1, < 11.5.0+2 more2026-04-17
CVE-2026-3590 [MEDIUM] CWE-367 Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple i
ghsa
CVE-2016-11069P3HIGH≥ 0, < 3.2.02022-05-24
CVE-2016-11069 [HIGH] CWE-799 Mattermost Server does not enforce rate limits on password change attempts Mattermost Server does not enforce rate limits on password change attempts An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
ghsaosv
CVE-2024-54083P3UNKNOWN≥ 9.5.0+incompatible, < 9.5.13+incompatible≥ 9.11.0+incompatible, < 9.11.5+incompatible+2 more2024-12-18
CVE-2024-54083 Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
osv
CVE-2025-21088P3UNKNOWN≥ 9.11.0+incompatible, < 9.11.6+incompatible≥ 10.0.0+incompatible, < 10.0.4+incompatible+2 more2025-01-16
CVE-2025-21088 Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
osv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase