cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 7 of 13
CVE-2016-11063P4MEDIUM≥ 0, < 3.5.12022-05-24
CVE-2016-11063 [MEDIUM] CWE-79 Mattermost Server vulnerable to Cross-site Scripting through file preview feature Mattermost Server vulnerable to Cross-site Scripting through file preview feature An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.
ghsaosv
CVE-2017-18879P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0, < 4.2.1+1 more2022-05-24
CVE-2017-18879 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through author_link field in Slack attachments Mattermost Server is vulnerable to XSS through author_link field in Slack attachments An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.
ghsaosv
CVE-2017-18893P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18893 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through display name field Mattermost Server is vulnerable to XSS through display name field An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
ghsaosv
CVE-2017-18918P4MEDIUM≥ 0, < 3.6.5≥ 3.7.0, < 3.7.32022-05-24
CVE-2017-18918 [MEDIUM] CWE-22 Mattermost Server does not restrict SAML certificate path for System Administrators Mattermost Server does not restrict SAML certificate path for System Administrators An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.
ghsaosv
CVE-2024-42497P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.8+incompatible≥ 9.8.0+incompatible, < 9.8.3+incompatible+2 more2024-08-30
CVE-2024-42497 Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
osv
CVE-2025-8402P4MEDIUM≥ 10.8.0, < 10.8.4≥ 10.5.0, < 10.5.9+3 more2025-08-21
CVE-2025-8402 [MEDIUM] CWE-476 Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
ghsaosv
CVE-2024-29977P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.9.0+incompatible, < 9.9.1+incompatible2024-08-06
CVE-2024-29977 Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server
osv
CVE-2026-4646P4MEDIUM≥ 11.6.0, < 11.6.1≥ 11.5.0, < 11.5.4+2 more2026-05-26
CVE-2026-4646 [MEDIUM] CWE-1287 Mattermost doesn't validate user-supplied input in API request handlers Mattermost doesn't validate user-supplied input in API request handlers Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint. Mattermost Advisory ID: MMSA-2026-00638
ghsa
CVE-2025-32093P4MEDIUM≥ 10.5.0, < 10.5.2≥ 10.4.0, < 10.4.4+1 more2025-04-14
CVE-2025-32093 [MEDIUM] CWE-863 Mattermost Fails to Restrict Certain Operations on System Admins Mattermost Fails to Restrict Certain Operations on System Admins Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission val
ghsaosv
CVE-2025-11776P4MEDIUM≥ 0, < 5.3.2-0.20250815165020-c8d66301415d2025-11-14
CVE-2025-11776 [MEDIUM] CWE-863 Mattermost fails to properly restrict access to archived channel search API Mattermost fails to properly restrict access to archived channel search API Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
ghsaosv
CVE-2026-3637P4MEDIUM≥ 0, < 5.3.2-0.20260316171743-090408f09f532026-05-18
CVE-2026-3637 [MEDIUM] CWE-862 Mattermost doesn't check the create_post channel permission during post edit operations Mattermost doesn't check the create_post channel permission during post edit operations Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post u
ghsa
CVE-2026-28732P4MEDIUM≥ 0, < 5.3.2-0.20260306123948-f5fe8ded6b632026-05-18
CVE-2026-28732 [MEDIUM] CWE-863 Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom sl
ghsa
CVE-2026-3113P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-3113 [MEDIUM] CWE-732 Mattermost doesn't set permissions on downloaded bulk export Mattermost doesn't set permissions on downloaded bulk export Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export. Mattermost Advisory ID: MMSA-2026-00593.
ghsaosv
CVE-2017-18898P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18898 [MEDIUM] CWE-404 Mattermost Server is vulnerable to DoS through maliciously crafted posts Mattermost Server is vulnerable to DoS through maliciously crafted posts An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.
ghsaosv
CVE-2016-11067P4MEDIUM≥ 0, < 3.2.02022-05-24
CVE-2016-11067 [MEDIUM] CWE-400 Mattermost Server is vulnerable to Uncontrolled Resource Consumption Mattermost Server is vulnerable to Uncontrolled Resource Consumption An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
ghsaosv
CVE-2017-18901P4MEDIUM≥ 0, < 3.10.3≥ 4.0.0, < 4.0.42022-05-24
CVE-2017-18901 [MEDIUM] CWE-200 Mattermost Server exposes private team invite ID Mattermost Server exposes private team invite ID An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.
ghsaosv
CVE-2016-11075P4MEDIUM≥ 0, < 2.0.1-0.20160310160916-26ad6d2c76962022-05-24
CVE-2016-11075 [MEDIUM] CWE-200 Mattermost Server exposes sensitive information about team URLs via an API Mattermost Server exposes sensitive information about team URLs via an API An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
ghsaosv
CVE-2017-18905P4MEDIUM≥ 0, < 3.9.2≥ 3.10.0, < 3.10.22022-05-24
CVE-2017-18905 [MEDIUM] CWE-613 Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.
ghsaosv
CVE-2017-18907P4MEDIUM≥ 0, < 3.9.2-0.20170714014920-312269ad0bd1≥ 3.10.0, < 3.10.22022-05-24
CVE-2017-18907 [MEDIUM] CWE-79 Mattermost Server vulnerable to XSS through channel headers Mattermost Server vulnerable to XSS through channel headers An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
ghsaosv
CVE-2016-11082P4MEDIUM≥ 0, < 2.2.02022-05-24
CVE-2016-11082 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through crafted links Mattermost Server is vulnerable to XSS through crafted links An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.
ghsaosv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase