cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 6 of 13
CVE-2025-36530P4MEDIUM≥ 10.9.0, < 10.9.2≥ 10.8.0, < 10.8.4+2 more2025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths Mattermost Fails to Validate File Paths Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
ghsaosv
CVE-2025-8023P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences Mattermost Fails to Sanitize Path Traversal Sequences Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.
ghsaosv
CVE-2026-4635P4MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-4635 [MEDIUM] CWE-362 Mattermost doesn't archive the channel before removing persistent notifications Mattermost doesn't archive the channel before removing persistent notifications Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existi
ghsa
CVE-2026-2456P4MEDIUM≥ 0, < 5.3.2-0.20260127165411-fe3052073dc6≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2456 [MEDIUM] CWE-789 Mattermost fails to limit the size of responses from integration action endpoints Mattermost fails to limit the size of responses from integration action endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an
ghsaosv
CVE-2025-9072P4HIGH≥ 10.10.0, < 10.10.2≥ 10.5.0, < 10.5.10+1 more2025-09-15
CVE-2025-9072 [HIGH] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
ghsaosv
CVE-2022-4044P4MEDIUM≥ 0, < 7.1.4≥ 7.2.0, < 7.2.1+1 more2022-11-23
CVE-2022-4044 [MEDIUM] CWE-770 Denial of service in Mattermost Denial of service in Mattermost A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.
ghsaosv
CVE-2025-22445P4UNKNOWN≥ 0, < 10.3.0+incompatible2025-01-09
CVE-2025-22445 Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If th
osv
CVE-2025-11794P4MEDIUM≥ 10.11.0, < 10.11.4≥ 10.5.0, < 10.5.12+1 more2025-11-14
CVE-2025-11794 [MEDIUM] CWE-200 Mattermost allows system administrators to access password hashes and MFA secrets Mattermost allows system administrators to access password hashes and MFA secrets Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
ghsaosv
CVE-2025-9084P4LOW≥ 10.5.0, < 10.5.102025-09-15
CVE-2025-9084 [LOW] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs.
ghsaosv
CVE-2016-11068P4MEDIUM≥ 0, < 3.2.02022-05-24
CVE-2016-11068 [MEDIUM] Mattermost Server is vulnerable to Code Injection through its LDAP fields Mattermost Server is vulnerable to Code Injection through its LDAP fields An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
ghsaosv
CVE-2017-18902P4MEDIUM≥ 0, < 3.10.3≥ 4.0.0, < 4.0.4+1 more2022-05-24
CVE-2017-18902 [MEDIUM] CWE-200 Mattermost Server exposes team invite IDs through API endpoints Mattermost Server exposes team invite IDs through API endpoints An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
ghsaosv
CVE-2017-18876P4MEDIUM≥ 0, < 4.1.2-0.20171004201910-6be8113eb60c≥ 4.2.0-rc1.0.20171004154238-fadd9514f6e7, < 4.2.1-0.20171004194140-6d3cb2ce07fc+1 more2022-05-24
CVE-2017-18876 [MEDIUM] CWE-22 Mattermost Server is vulnerable to Path Traversal when files are stored locally Mattermost Server is vulnerable to Path Traversal when files are stored locally An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.
ghsaosv
CVE-2017-18896P4MEDIUM≥ 4.1.0, < 4.1.1≥ 0, < 4.0.5+1 more2022-05-24
CVE-2017-18896 [MEDIUM] CWE-732 Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
ghsaosv
CVE-2023-1777P4MEDIUM≥ 7.8.0, < 7.8.1≥ 7.7.0, < 7.7.2+2 more2023-03-31
CVE-2023-1777 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure Mattermost vulnerable to information disclosure Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
ghsaosv
CVE-2023-1774P4MEDIUM≥ 3.3.0, < 7.1.6≥ 7.7.0, < 7.7.2+1 more2023-03-31
CVE-2023-1774 [MEDIUM] CWE-862 Mattermost fails to properly authentication inviter's permissions to private channel Mattermost fails to properly authentication inviter's permissions to private channel When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137
ghsaosv
CVE-2025-31947P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.4.0+incompatible, < 10.4.5+incompatible+2 more2025-05-23
CVE-2025-31947 Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
osv
CVE-2017-18895P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18895 [MEDIUM] CWE-200 Mattermost Server exposes sensitive user status information via REST API version 4 endpoint Mattermost Server exposes sensitive user status information via REST API version 4 endpoint An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
ghsaosv
CVE-2016-11076P4HIGH≥ 0, < 3.0.02022-05-24
CVE-2016-11076 [HIGH] CWE-295 Mattermost Server does not check if cookies are used over SSL Mattermost Server does not check if cookies are used over SSL An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
ghsaosv
CVE-2017-18875P4MEDIUM≥ 0, < 4.1.2-0.20171004201910-6be8113eb60c≥ 4.2.0-rc1.0.20171004154238-fadd9514f6e7, < 4.2.1-0.20171004194140-6d3cb2ce07fc+1 more2022-05-24
CVE-2017-18875 [MEDIUM] CWE-22 Mattermost Server does not prevent System Admin from arbitrary file creation Mattermost Server does not prevent System Admin from arbitrary file creation An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
ghsaosv
CVE-2025-6465P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-6465 [MEDIUM] CWE-22 Mattermost Fails to Sanitize File Names Mattermost Fails to Sanitize File Names Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
ghsaosv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase