Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 6 of 13
CVE-2025-36530P4MEDIUM≥ 10.9.0, < 10.9.2≥ 10.8.0, < 10.8.4+2 more2025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths
Mattermost Fails to Validate File Paths
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
ghsaosv
CVE-2025-8023P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences
Mattermost Fails to Sanitize Path Traversal Sequences
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.
ghsaosv
CVE-2026-4635P4MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-4635 [MEDIUM] CWE-362 Mattermost doesn't archive the channel before removing persistent notifications
Mattermost doesn't archive the channel before removing persistent notifications
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existi
ghsa
CVE-2026-2456P4MEDIUM≥ 0, < 5.3.2-0.20260127165411-fe3052073dc6≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2456 [MEDIUM] CWE-789 Mattermost fails to limit the size of responses from integration action endpoints
Mattermost fails to limit the size of responses from integration action endpoints
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an
ghsaosv
CVE-2025-9072P4HIGH≥ 10.10.0, < 10.10.2≥ 10.5.0, < 10.5.10+1 more2025-09-15
CVE-2025-9072 [HIGH] CWE-601 Mattermost Open Redirect vulnerability
Mattermost Open Redirect vulnerability
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
ghsaosv
CVE-2022-4044P4MEDIUM≥ 0, < 7.1.4≥ 7.2.0, < 7.2.1+1 more2022-11-23
CVE-2022-4044 [MEDIUM] CWE-770 Denial of service in Mattermost
Denial of service in Mattermost
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.
ghsaosv
CVE-2025-22445P4UNKNOWN≥ 0, < 10.3.0+incompatible2025-01-09
CVE-2025-22445 Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server
Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server
Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If th
osv
CVE-2025-11794P4MEDIUM≥ 10.11.0, < 10.11.4≥ 10.5.0, < 10.5.12+1 more2025-11-14
CVE-2025-11794 [MEDIUM] CWE-200 Mattermost allows system administrators to access password hashes and MFA secrets
Mattermost allows system administrators to access password hashes and MFA secrets
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
ghsaosv
CVE-2025-9084P4LOW≥ 10.5.0, < 10.5.102025-09-15
CVE-2025-9084 [LOW] CWE-601 Mattermost Open Redirect vulnerability
Mattermost Open Redirect vulnerability
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs.
ghsaosv
CVE-2016-11068P4MEDIUM≥ 0, < 3.2.02022-05-24
CVE-2016-11068 [MEDIUM] Mattermost Server is vulnerable to Code Injection through its LDAP fields
Mattermost Server is vulnerable to Code Injection through its LDAP fields
An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
ghsaosv
CVE-2017-18902P4MEDIUM≥ 0, < 3.10.3≥ 4.0.0, < 4.0.4+1 more2022-05-24
CVE-2017-18902 [MEDIUM] CWE-200 Mattermost Server exposes team invite IDs through API endpoints
Mattermost Server exposes team invite IDs through API endpoints
An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.
ghsaosv
CVE-2017-18876P4MEDIUM≥ 0, < 4.1.2-0.20171004201910-6be8113eb60c≥ 4.2.0-rc1.0.20171004154238-fadd9514f6e7, < 4.2.1-0.20171004194140-6d3cb2ce07fc+1 more2022-05-24
CVE-2017-18876 [MEDIUM] CWE-22 Mattermost Server is vulnerable to Path Traversal when files are stored locally
Mattermost Server is vulnerable to Path Traversal when files are stored locally
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.
ghsaosv
CVE-2017-18896P4MEDIUM≥ 4.1.0, < 4.1.1≥ 0, < 4.0.5+1 more2022-05-24
CVE-2017-18896 [MEDIUM] CWE-732 Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint
Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.
ghsaosv
CVE-2023-1777P4MEDIUM≥ 7.8.0, < 7.8.1≥ 7.7.0, < 7.7.2+2 more2023-03-31
CVE-2023-1777 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure
Mattermost vulnerable to information disclosure
Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.
ghsaosv
CVE-2023-1774P4MEDIUM≥ 3.3.0, < 7.1.6≥ 7.7.0, < 7.7.2+1 more2023-03-31
CVE-2023-1774 [MEDIUM] CWE-862 Mattermost fails to properly authentication inviter's permissions to private channel
Mattermost fails to properly authentication inviter's permissions to private channel
When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.
[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137
ghsaosv
CVE-2025-31947P4UNKNOWN≥ 9.11.0+incompatible, < 9.11.12+incompatible≥ 10.4.0+incompatible, < 10.4.5+incompatible+2 more2025-05-23
CVE-2025-31947 Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
osv
CVE-2017-18895P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18895 [MEDIUM] CWE-200 Mattermost Server exposes sensitive user status information via REST API version 4 endpoint
Mattermost Server exposes sensitive user status information via REST API version 4 endpoint
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.
ghsaosv
CVE-2016-11076P4HIGH≥ 0, < 3.0.02022-05-24
CVE-2016-11076 [HIGH] CWE-295 Mattermost Server does not check if cookies are used over SSL
Mattermost Server does not check if cookies are used over SSL
An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
ghsaosv
CVE-2017-18875P4MEDIUM≥ 0, < 4.1.2-0.20171004201910-6be8113eb60c≥ 4.2.0-rc1.0.20171004154238-fadd9514f6e7, < 4.2.1-0.20171004194140-6d3cb2ce07fc+1 more2022-05-24
CVE-2017-18875 [MEDIUM] CWE-22 Mattermost Server does not prevent System Admin from arbitrary file creation
Mattermost Server does not prevent System Admin from arbitrary file creation
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.
ghsaosv
CVE-2025-6465P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+2 more2025-08-21
CVE-2025-6465 [MEDIUM] CWE-22 Mattermost Fails to Sanitize File Names
Mattermost Fails to Sanitize File Names
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
ghsaosv