cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 1 of 10
CVE-2025-12419P2CRITICAL≥ 0, < 8.0.0-20251028000919-d3ed703dc8332025-11-27
CVE-2025-12419 [CRITICAL] CWE-287 Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account vi
ghsaosv
CVE-2025-12421P2CRITICAL≥ 0, < 8.0.0-20251022210333-acda1fb5dd462025-11-27
CVE-2025-12421 [CRITICAL] CWE-287 Mattermost fails to to verify the token used during code exchange Mattermost fails to to verify the token used during code exchange Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authent
ghsaosv
CVE-2025-4981P2CRITICAL≥ 0, < 8.0.0-20250519205859-65aec10162f6≥ 10.5.0, < 10.5.6+4 more2025-06-20
CVE-2025-4981 [CRITICAL] CWE-427 Mattermost allows authenticated users to write files to arbitrary locations Mattermost allows authenticated users to write files to arbitrary locations Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenam
ghsaosv
CVE-2025-25279P2CRITICAL≥ 0, < 8.0.0-20250122165010-4ed702ccff4e≥ 9.11.0-rc1, < 9.11.8+3 more2025-02-24
CVE-2025-25279 [CRITICAL] CWE-22 Mattermost allows reading arbitrary files related to importing boards Mattermost allows reading arbitrary files related to importing boards Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.
ghsaosv
CVE-2026-3108P3HIGH≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-3108 [HIGH] CWE-150 Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate
ghsaosv
CVE-2025-14273P3HIGH≥ 0, < 8.0.0-20251121122154-b57c297c6d7a2025-12-22
CVE-2025-14273 [HIGH] CWE-303 Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated
ghsaosv
CVE-2024-39777P3CRITICAL≥ 9.9.0, < 9.9.1≥ 9.5.0, < 9.5.7+2 more2024-08-01
CVE-2024-39777 [CRITICAL] CWE-284 Mattermost allows unsolicited invites to expose access to local channels Mattermost allows unsolicited invites to expose access to local channels Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then b
ghsaosv
CVE-2025-25274P3MEDIUM≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-25274 [MEDIUM] CWE-77 Mattermost Fails to Restrict Command Execution in Archived Channels Mattermost Fails to Restrict Command Execution in Archived Channels Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
ghsaosv
CVE-2025-25068P3HIGH≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-25068 [HIGH] CWE-306 Mattermost Fails to Enforce MFA on Plugin Endpoints Mattermost Fails to Enforce MFA on Plugin Endpoints Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
ghsaosv
CVE-2025-58073P3HIGH≥ 0, < 8.0.0-20250807174701-e14175eb65392025-10-16
CVE-2025-58073 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
ghsaosv
CVE-2025-58075P3HIGH≥ 0, < 8.0.0-20250815100400-2d5cdc6e217e2025-10-16
CVE-2025-58075 [HIGH] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.
ghsaosv
CVE-2026-6346P3HIGH≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-6346 [HIGH] CWE-200 Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a suppo
ghsa
CVE-2023-6458P3HIGH≥ 0, < 8.1.5≥ 9.0.0, < 9.0.32023-12-06
CVE-2023-6458 [HIGH] CWE-22 Mattermost Injection vulnerability Mattermost Injection vulnerability Mattermost webapp fails to validate route parameters in//channels/ allowing an attacker to perform a client-side path traversal.
ghsaosv
CVE-2025-9079P3HIGH≥ 0, < 8.0.0-20250707221302-a8fa77f107ef2025-09-19
CVE-2025-9079 [HIGH] CWE-22 Mattermost Path Traversal vulnerability Mattermost Path Traversal vulnerability Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory
ghsaosv
CVE-2025-1412P3LOW≥ 0, < 8.0.0-20241217145510-faa7e4f2ea0c≥ 10.4.0-rc1, < 10.4.2+1 more2025-02-24
CVE-2025-1412 [LOW] CWE-384 Mattermost fails to invalidate all active sessions when converting a user to a bot Mattermost fails to invalidate all active sessions when converting a user to a bot Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
ghsaosv
CVE-2025-55070P3MEDIUM≥ 0, < 8.0.0-20250912063506-7d8b7b5e4a602025-11-14
CVE-2025-55070 [MEDIUM] CWE-306 Mattermost does not enforce MFA on WebSocket connections Mattermost does not enforce MFA on WebSocket connections Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.
ghsaosv
CVE-2026-5740P3HIGH≥ 0, < 8.0.0-20260410202636-17939826efa22026-05-26
CVE-2026-5740 [HIGH] CWE-789 Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocation Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service o
ghsa
CVE-2026-28741P3MEDIUM≥ 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260220133927-c29cf05d40f8≥ 11.5.0-rc1, < 11.5.0+2 more2026-04-17
CVE-2026-28741 [MEDIUM] CWE-352 Mattermost doesn't validate CSRF tokens on an authentication endpoint Mattermost doesn't validate CSRF tokens on an authentication endpoint Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost Advisory ID: MMSA-2026-00625
ghsa
CVE-2024-40886P3MEDIUM≥ 9.9.0, < 9.9.2≥ 9.5.0, < 9.5.8+2 more2024-08-22
CVE-2024-40886 [MEDIUM] CWE-352 Mattermost Cross-Site Request Forgery vulnerability Mattermost Cross-Site Request Forgery vulnerability Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.
ghsaosv
CVE-2024-39832P3MEDIUM≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01
CVE-2024-39832 [MEDIUM] CWE-754 Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.
ghsaosv
1 / 10Next →
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase