Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 5 of 13
CVE-2018-21258P4HIGH≥ 0, < 5.1.02022-05-24
CVE-2018-21258 [HIGH] CWE-400 Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command
Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command
An issue was discovered in Mattermost Server before 5.1.0. It allows attackers to cause a denial of service via the invite_people slash command.
ghsaosv
CVE-2024-28949P4UNKNOWN≥ 9.3.0+incompatible, < 9.3.3+incompatible≥ 9.4.0+incompatible, < 9.4.4+incompatible+1 more2024-06-05
CVE-2024-28949 Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server
Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing f
osv
CVE-2024-36492P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-36492 Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
osv
CVE-2024-39837P4LOW≥ 9.9.0, < 9.9.1≥ 9.5.0, < 9.5.72024-08-01
CVE-2024-39837 [LOW] CWE-284 Mattermost did not properly restrict channel creation
Mattermost did not properly restrict channel creation
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
ghsaosv
CVE-2025-27936P4UNKNOWN≥ 10.5.0+incompatible, < 10.5.2+incompatible2025-04-22
CVE-2025-27936 Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing f
osv
CVE-2016-11078P4MEDIUM≥ 0, < 3.0.02022-05-24
CVE-2016-11078 [MEDIUM] CWE-200 Mattermost Server exposes sensitive information via its System Console UI
Mattermost Server exposes sensitive information via its System Console UI
An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.
ghsaosv
CVE-2025-55073P4MEDIUM≥ 10.11.0, < 10.11.4≥ 10.5.0, < 10.5.12+1 more2025-11-14
CVE-2025-55073 [MEDIUM] CWE-306 Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth re
ghsaosv
CVE-2026-28735P4MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-28735 [MEDIUM] CWE-863 Mattermost allows authenticated users to gain access to private repositories
Mattermost allows authenticated users to gain access to private repositories
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL. Mattermost A
ghsa
CVE-2017-18916P4MEDIUM≥ 0, < 3.6.7-0.20170420152529-0968e4079e0a≥ 3.7.0, < 3.7.5+1 more2022-05-24
CVE-2017-18916 [MEDIUM] CWE-284 Mattermost Server has Improper Authorization for Integration Requests
Mattermost Server has Improper Authorization for Integration Requests
An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.
ghsaosv
CVE-2016-11072P4MEDIUM≥ 0, < 3.0.22022-05-24
CVE-2016-11072 [MEDIUM] Mattermost Server's Session ID and Session Token are potentially compromised
Mattermost Server's Session ID and Session Token are potentially compromised
An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
ghsaosv
CVE-2022-4045P4MEDIUM≥ 0, < 7.1.4≥ 7.2.0, < 7.2.1+1 more2022-11-23
CVE-2022-4045 [MEDIUM] CWE-770 Denial of service in Mattermost
Denial of service in Mattermost
A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.
ghsaosv
CVE-2025-6233P4MEDIUM≥ 10.8.0, < 10.8.2≥ 10.7.0, < 10.7.4+2 more2025-07-18
CVE-2025-6233 [MEDIUM] CWE-22 Mattermost Path Traversal vulnerability
Mattermost Path Traversal vulnerability
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
ghsaosv
CVE-2025-13821P4MEDIUM≥ 11.1.0≥ 10.11.0+2 more2026-02-16
CVE-2025-13821 [MEDIUM] CWE-200 Mattermost fails to sanitize sensitive data in WebSocket messages
Mattermost fails to sanitize sensitive data in WebSocket messages
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
ghsaosv
CVE-2025-3230P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+2 more2025-06-03
CVE-2025-3230 Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
osv
CVE-2025-46702P4MEDIUM≥ 0, < 0.0.0-20250513065225-4ae5d647fb882025-06-30
CVE-2025-46702 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via th
ghsaosv
CVE-2023-1776P4MEDIUM≥ 7.7.0, < 7.7.2≥ 7.1.0, < 7.1.6+1 more2023-03-31
CVE-2023-1776 [MEDIUM] CWE-79 Mattermost vulnerable to cross-site scripting (XSS)
Mattermost vulnerable to cross-site scripting (XSS)
Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139
ghsaosv
CVE-2025-2475P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.10+incompatible≥ 10.5.0+incompatible, < 10.5.2+incompatible2025-04-22
CVE-2025-2475 Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
osv
CVE-2025-47871P4MEDIUM≥ 0, < 0.0.0-20250513065225-4ae5d647fb882025-06-30
CVE-2025-47871 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability
Mattermost Incorrect Authorization vulnerability
Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display nam
ghsaosv
CVE-2026-6333P4LOW≥ 0, < 5.3.2-0.20260325160634-e738016c59202026-05-18
CVE-2026-6333 [LOW] CWE-918 Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofe
ghsa
CVE-2017-18871P4HIGH≥ 0, < 4.2.2≥ 4.3.0-rc1, < 4.3.4+2 more2022-05-24
CVE-2017-18871 [HIGH] CWE-248 Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names
Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.
ghsaosv