cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 2 of 10
CVE-2026-20719P3MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-25
CVE-2026-20719 [MEDIUM] CWE-754 Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitH
ghsaosv
CVE-2026-24458P3HIGH≥ 0, < 8.0.0-20260129164748-7201f42d955f2026-03-16
CVE-2026-24458 [HIGH] CWE-770 Mattermost fails to properly handle very long passwords Mattermost fails to properly handle very long passwords Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587
ghsaosv
CVE-2024-8071P3MEDIUM≥ 9.9.0, < 9.9.2≥ 9.5.0, < 9.5.8+2 more2024-08-22
CVE-2024-8071 [MEDIUM] CWE-284 Mattermost doesn't restrict which roles can promote a user as system admin Mattermost doesn't restrict which roles can promote a user as system admin Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g. member) to include the `manage_system` permission,
ghsaosv
CVE-2024-41144P3HIGH≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+3 more2024-08-01
CVE-2024-41144 [HIGH] CWE-284 Mattermost allows remote actor to create/update/delete posts in arbitrary channels Mattermost allows remote actor to create/update/delete posts in arbitrary channels Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
ghsaosv
CVE-2025-35965P3MEDIUM≥ 0, < 8.0.0-20250218121836-2b5275d87136≥ 10.4.0+2 more2025-04-24
CVE-2025-35965 [MEDIUM] CWE-770 Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost Playbooks fails to validate the uniqueness and quantity of task actions Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions triggered by specific posts
ghsaosv
CVE-2025-9081P3LOW≥ 0, < 8.0.0-20250721095935-11c36f4d1e442025-09-19
CVE-2025-9081 [LOW] CWE-639 Mattermost boards plugin fails to restrict download access to files Mattermost boards plugin fails to restrict download access to files Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration
ghsaosv
CVE-2025-31363P3LOW≥ 10.5.0, < 10.5.1≥ 10.4.0, < 10.4.3+2 more2025-04-16
CVE-2025-31363 [LOW] CWE-201 Mattermost doesn't restrict domains LLM can request to contact upstream Mattermost doesn't restrict domains LLM can request to contact upstream Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection in the AI plugin's Jira tool.
ghsaosv
CVE-2025-20621P3MEDIUM≥ 10.2.0, < 10.2.1≥ 10.1.0, < 10.1.4+3 more2025-01-16
CVE-2025-20621 [MEDIUM] CWE-1287 Mattermost webapp crash via a crafted post Mattermost webapp crash via a crafted post Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.
ghsaosv
CVE-2024-47401P3MEDIUM≥ 0, < 8.0.0-20240926115259-20ed58906adc2024-10-29
CVE-2024-47401 [MEDIUM] CWE-770 Mattermost Server vulnerable to application crash from attacker-generated large response Mattermost Server vulnerable to application crash from attacker-generated large response Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to cr
ghsaosv
CVE-2025-9076P3MEDIUM≥ 0, < 8.0.0-20250729073403-517ae758cd022025-09-15
CVE-2025-9076 [MEDIUM] CWE-862 Mattermost Missing Authorization vulnerability Mattermost Missing Authorization vulnerability Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
ghsaosv
CVE-2026-5163P3MEDIUM≥ 11.5.0, < 11.5.2≥ 0, < 8.0.0-20260401090745-f4d1abe7e8f52026-05-18
CVE-2026-5163 [MEDIUM] CWE-862 Mattermost doesn't verify channel membership when processing AI-assisted message rewrites Mattermost doesn't verify channel membership when processing AI-assisted message rewrites Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post r
ghsa
CVE-2023-40703P3MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-40703 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.
ghsaosv
CVE-2023-48268P3MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-48268 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an attacker to consume excessive resources, possibly leading to Denial of Service, by importing a board using a specially crafted zip (zip bomb).
ghsaosv
CVE-2025-20051P3CRITICAL≥ 0, < 8.0.0-20250122165010-4ed702ccff4e≥ 9.11.0-rc1, < 9.11.8+3 more2025-02-24
CVE-2025-20051 [CRITICAL] CWE-22 Mattermost allows reading arbitrary files Mattermost allows reading arbitrary files Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.
ghsaosv
CVE-2025-41395P3MEDIUM≥ 0, < 8.0.0-20250218121836-2b5275d87136≥ 10.4.0+2 more2025-04-24
CVE-2025-41395 [MEDIUM] CWE-1287 Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with malicious
ghsaosv
CVE-2024-39274P3CRITICAL≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01
CVE-2024-39274 [CRITICAL] CWE-284 Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remot
ghsaosv
CVE-2026-6345P3MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-6345 [MEDIUM] CWE-522 Mattermost doesn't prevent disclosure of created user password Mattermost doesn't prevent disclosure of created user password Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 doesn't prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614
ghsa
CVE-2025-6226P3MEDIUM≥ 0, < 8.0.0-20250520130510-fa40a8c5d47f2025-07-18
CVE-2025-6226 [MEDIUM] CWE-306 Mattermost Missing Authentication for Critical Function Mattermost Missing Authentication for Critical Function Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
ghsaosv
CVE-2025-49222P3MEDIUM≥ 0, < 8.0.0-20250708173752-d6b35c41f0ae52025-08-21
CVE-2025-49222 [MEDIUM] CWE-434 Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost Fails to Validate Remote Cluster Upload Sessions Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.
ghsaosv
CVE-2025-30179P3MEDIUM≥ 10.4.0, < 10.4.3≥ 10.3.0, < 10.3.4+2 more2025-03-21
CVE-2025-30179 [MEDIUM] CWE-863 Mattermost Fails to Enforce Certain Search APIs Mattermost Fails to Enforce Certain Search APIs Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows authenticated attackers to bypass MFA protections via user search, channel search, or team search queries.
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase