Github.Com Mattermost Mattermost-Server vulnerabilities
250 known vulnerabilities affecting github.com/mattermost_mattermost-server.
Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72
Vulnerabilities
Page 8 of 13
CVE-2017-18904P4MEDIUM≥ 0, < 3.9.2≥ 3.10.0, < 3.10.22022-05-24
CVE-2017-18904 [MEDIUM] CWE-79 Mattermost Server vulnerable to XSS via an uploaded file
Mattermost Server vulnerable to XSS via an uploaded file
An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
ghsaosv
CVE-2017-18877P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0, < 4.2.1+1 more2022-05-24
CVE-2017-18877 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page
Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
ghsaosv
CVE-2017-18897P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18897 [MEDIUM] CWE-601 Mattermost Server mishandles redirect denial action
Mattermost Server mishandles redirect denial action
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.
ghsaosv
CVE-2016-11083P4MEDIUM≥ 0, < 2.2.02022-05-24
CVE-2016-11083 [MEDIUM] CWE-79 Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution
Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution
An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
ghsaosv
CVE-2016-11070P4MEDIUM≥ 0, < 3.1.02022-05-24
CVE-2016-11070 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through customizable theme color-code values
Mattermost Server is vulnerable to XSS through customizable theme color-code values
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
ghsaosv
CVE-2024-39839P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39839 Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
osv
CVE-2026-22892P4MEDIUM≥ 11.2.0, < 11.2.2≥ 11.1.0, < 11.1.3+1 more2026-02-13
CVE-2026-22892 [MEDIUM] CWE-863 Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts
Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels th
ghsaosv
CVE-2026-4265P4MEDIUM≥ 0, < 5.3.2-0.20260107144005-c7f6efdfb035≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-4265 [MEDIUM] CWE-863 Mattermost fails to validate team-specific upload_file permissions
Mattermost fails to validate team-specific upload_file permissions
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a di
ghsaosv
CVE-2025-3611P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+1 more2025-06-03
CVE-2025-3611 Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server
Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server
Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server
osv
CVE-2024-41926P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.9.0+incompatible, < 9.9.1+incompatible2024-08-06
CVE-2024-41926 Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
osv
CVE-2026-4053P4LOW≥ 11.5.0, < 11.5.2≥ 0.0.0-20250731163400-5b955468ea1e, < 0.0.0-20260414103857-b21ef302025e2026-05-15
CVE-2026-4053 [LOW] CWE-672 Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields
Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints. Mattermost Advisory ID: MMS
ghsa
CVE-2026-28759P4MEDIUM≥ 0, < 5.3.2-0.20260216150504-8738f8c4b3d42026-05-18
CVE-2026-28759 [MEDIUM] CWE-863 Mattermost does not verify remote cluster channel access when processing shared channel membership removals
Mattermost does not verify remote cluster channel access when processing shared channel membership removals
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious re
ghsa
CVE-2026-2457P4MEDIUM≥ 0, < 5.3.2-0.20260123211116-9efe617be8b8≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2457 [MEDIUM] CWE-346 Mattermost allows attackers to spoof permalink embeds
Mattermost allows attackers to spoof permalink embeds
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569
ghsaosv
CVE-2017-18887P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18887 [MEDIUM] CWE-200 Mattermost Server exposes team creator's e-mail address to other members
Mattermost Server exposes team creator's e-mail address to other members
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
ghsaosv
CVE-2017-18892P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18892 [MEDIUM] CWE-116 Mattermost Server does not neutralize HTML content in an Email template field
Mattermost Server does not neutralize HTML content in an Email template field
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
ghsaosv
CVE-2016-11071P4MEDIUM≥ 0, < 3.1.02022-05-24
CVE-2016-11071 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`
Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`
An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
ghsaosv
CVE-2016-11073P4MEDIUM≥ 0, < 3.0.02022-05-24
CVE-2016-11073 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS via a Legal or Support setting
Mattermost Server is vulnerable to XSS via a Legal or Support setting
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
ghsaosv
CVE-2016-11079P4MEDIUM≥ 0, < 3.0.02022-05-24
CVE-2016-11079 [MEDIUM] CWE-79 Mattermost Server allows XSS via redirect URL
Mattermost Server allows XSS via redirect URL
An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
ghsaosv
CVE-2017-18891P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18891 [MEDIUM] Mattermost Server does not safeguard against phishing via error page links
Mattermost Server does not safeguard against phishing via error page links
An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
ghsaosv
CVE-2023-5968P4MEDIUM≥ 0, < 5.3.2-0.20230825233148-f787fd63368a2023-11-06
CVE-2023-5968 [MEDIUM] CWE-116 Mattermost password hash disclosure vulnerability
Mattermost password hash disclosure vulnerability
Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
ghsaosv