cbcvebase.

Github.Com Mattermost Mattermost-Server vulnerabilities

250 known vulnerabilities affecting github.com/mattermost_mattermost-server.

Total CVEs
250
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL10HIGH24MEDIUM116LOW28UNKNOWN72

Vulnerabilities

Page 8 of 13
CVE-2017-18904P4MEDIUM≥ 0, < 3.9.2≥ 3.10.0, < 3.10.22022-05-24
CVE-2017-18904 [MEDIUM] CWE-79 Mattermost Server vulnerable to XSS via an uploaded file Mattermost Server vulnerable to XSS via an uploaded file An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
ghsaosv
CVE-2017-18877P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0, < 4.2.1+1 more2022-05-24
CVE-2017-18877 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
ghsaosv
CVE-2017-18897P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18897 [MEDIUM] CWE-601 Mattermost Server mishandles redirect denial action Mattermost Server mishandles redirect denial action An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.
ghsaosv
CVE-2016-11083P4MEDIUM≥ 0, < 2.2.02022-05-24
CVE-2016-11083 [MEDIUM] CWE-79 Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
ghsaosv
CVE-2016-11070P4MEDIUM≥ 0, < 3.1.02022-05-24
CVE-2016-11070 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through customizable theme color-code values Mattermost Server is vulnerable to XSS through customizable theme color-code values An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
ghsaosv
CVE-2024-39839P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.7.0+incompatible, < 9.7.6+incompatible+2 more2024-08-06
CVE-2024-39839 Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server
osv
CVE-2026-22892P4MEDIUM≥ 11.2.0, < 11.2.2≥ 11.1.0, < 11.1.3+1 more2026-02-13
CVE-2026-22892 [MEDIUM] CWE-863 Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels th
ghsaosv
CVE-2026-4265P4MEDIUM≥ 0, < 5.3.2-0.20260107144005-c7f6efdfb035≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-4265 [MEDIUM] CWE-863 Mattermost fails to validate team-specific upload_file permissions Mattermost fails to validate team-specific upload_file permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a di
ghsaosv
CVE-2025-3611P4UNKNOWN≥ 9.0.0-rc1+incompatible, < 9.11.13+incompatible≥ 10.0.0-rc1+incompatible, < 10.5.4+incompatible+1 more2025-06-03
CVE-2025-3611 Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server
osv
CVE-2024-41926P4UNKNOWN≥ 9.5.0+incompatible, < 9.5.7+incompatible≥ 9.9.0+incompatible, < 9.9.1+incompatible2024-08-06
CVE-2024-41926 Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server
osv
CVE-2026-4053P4LOW≥ 11.5.0, < 11.5.2≥ 0.0.0-20250731163400-5b955468ea1e, < 0.0.0-20260414103857-b21ef302025e2026-05-15
CVE-2026-4053 [LOW] CWE-672 Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints. Mattermost Advisory ID: MMS
ghsa
CVE-2026-28759P4MEDIUM≥ 0, < 5.3.2-0.20260216150504-8738f8c4b3d42026-05-18
CVE-2026-28759 [MEDIUM] CWE-863 Mattermost does not verify remote cluster channel access when processing shared channel membership removals Mattermost does not verify remote cluster channel access when processing shared channel membership removals Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious re
ghsa
CVE-2026-2457P4MEDIUM≥ 0, < 5.3.2-0.20260123211116-9efe617be8b8≥ 10.11.0-rc1, < 10.11.11+2 more2026-03-16
CVE-2026-2457 [MEDIUM] CWE-346 Mattermost allows attackers to spoof permalink embeds Mattermost allows attackers to spoof permalink embeds Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569
ghsaosv
CVE-2017-18887P4MEDIUM≥ 0, < 4.1.2≥ 4.2.0-rc1, < 4.2.1+1 more2022-05-24
CVE-2017-18887 [MEDIUM] CWE-200 Mattermost Server exposes team creator's e-mail address to other members Mattermost Server exposes team creator's e-mail address to other members An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
ghsaosv
CVE-2017-18892P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18892 [MEDIUM] CWE-116 Mattermost Server does not neutralize HTML content in an Email template field Mattermost Server does not neutralize HTML content in an Email template field An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.
ghsaosv
CVE-2016-11071P4MEDIUM≥ 0, < 3.1.02022-05-24
CVE-2016-11071 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.
ghsaosv
CVE-2016-11073P4MEDIUM≥ 0, < 3.0.02022-05-24
CVE-2016-11073 [MEDIUM] CWE-79 Mattermost Server is vulnerable to XSS via a Legal or Support setting Mattermost Server is vulnerable to XSS via a Legal or Support setting An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
ghsaosv
CVE-2016-11079P4MEDIUM≥ 0, < 3.0.02022-05-24
CVE-2016-11079 [MEDIUM] CWE-79 Mattermost Server allows XSS via redirect URL Mattermost Server allows XSS via redirect URL An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.
ghsaosv
CVE-2017-18891P4MEDIUM≥ 0, < 4.0.5≥ 4.1.0, < 4.1.1+1 more2022-05-24
CVE-2017-18891 [MEDIUM] Mattermost Server does not safeguard against phishing via error page links Mattermost Server does not safeguard against phishing via error page links An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
ghsaosv
CVE-2023-5968P4MEDIUM≥ 0, < 5.3.2-0.20230825233148-f787fd63368a2023-11-06
CVE-2023-5968 [MEDIUM] CWE-116 Mattermost password hash disclosure vulnerability Mattermost password hash disclosure vulnerability Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.
ghsaosv
Github.Com Mattermost Mattermost-Server vulnerabilities | cvebase