Github.Com Mattermost Mattermost-Server V5 vulnerabilities

CVE-2018-21258 Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server

CVE-2025-11776 [MEDIUM] CWE-863 Mattermost fails to properly restrict access to archived channel search API Mattermost fails to properly restrict access to archived channel search API Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

CVE-2025-11777 [LOW] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.

CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.

CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths Mattermost Fails to Validate File Paths Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

CVE-2025-8402 [MEDIUM] CWE-476 Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences Mattermost Fails to Sanitize Path Traversal Sequences Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.

CVE-2025-47870 [MEDIUM] CWE-306 Mattermost Does Not Sanitize the Team Invite ID Mattermost Does Not Sanitize the Team Invite ID Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

CVE-2025-53971 [LOW] CWE-863 Mattermost Fails to Properly Validate Team Role Modification Mattermost Fails to Properly Validate Team Role Modification Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

CVE-2024-39837 [LOW] CWE-284 Mattermost did not properly restrict channel creation Mattermost did not properly restrict channel creation Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

CVE-2024-28053 [LOW] CWE-400 Mattermost Server Resource Exhaustion Mattermost Server Resource Exhaustion Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

CVE-2023-5968 [MEDIUM] CWE-116 Mattermost password hash disclosure vulnerability Mattermost password hash disclosure vulnerability Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body.

CVE-2023-1775 [MEDIUM] CWE-668 Mattermost vulnerable to information disclosure Mattermost vulnerable to information disclosure When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138

CVE-2023-1774 [MEDIUM] CWE-862 Mattermost fails to properly authentication inviter's permissions to private channel Mattermost fails to properly authentication inviter's permissions to private channel When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137

CVE-2023-1776 [MEDIUM] CWE-79 Mattermost vulnerable to cross-site scripting (XSS) Mattermost vulnerable to cross-site scripting (XSS) Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. [Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139

CVE-2020-14457 [MEDIUM] CWE-862 Mattermost Server Sensitive Data Exposure Mattermost Server Sensitive Data Exposure An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the `update_team` WebSocket event, aka MMSA-2020-0012.

CVE-2022-1332 [MEDIUM] CWE-200 Improper Privilege Management in Mattermost Improper Privilege Management in Mattermost One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. Per the Mattermost security updates page, versions 6.4.2, 6.3.5, 6.2.5, and 5.37.9 contain patches for this issue

CVE-2021-37860 [MEDIUM] CWE-79 Cross-site Scripting in Mattermost Cross-site Scripting in Mattermost Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.