cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 3 of 10
CVE-2026-3590P3MEDIUM≥ 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20250723052842-4cb8d89403322026-04-17
CVE-2026-3590 [MEDIUM] CWE-367 Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple i
ghsa
CVE-2024-54083P3MEDIUM≥ 10.1.0, < 10.1.3≥ 10.0.0, < 10.0.3+2 more2024-12-16
CVE-2024-54083 [MEDIUM] CWE-1287 Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.
ghsaosv
CVE-2025-21088P3MEDIUM≥ 10.2.0, < 10.2.1≥ 10.1.0, < 10.1.4+3 more2025-01-15
CVE-2025-21088 [MEDIUM] CWE-704 Mattermost Incorrect Type Conversion or Cast Mattermost Incorrect Type Conversion or Cast Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.
ghsaosv
CVE-2026-3114P3MEDIUM≥ 11.4.0, < 11.4.1≥ 11.3.0, < 11.3.2+3 more2026-03-26
CVE-2026-3114 [MEDIUM] CWE-409 Mattermost doesn't validate decompressed archive entry sizes during file extraction Mattermost doesn't validate decompressed archive entry sizes during file extraction Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly
ghsaosv
CVE-2025-41410P3MEDIUM≥ 0, < 8.0.0-20250822083415-01b95392a4502025-10-16
CVE-2025-41410 [MEDIUM] CWE-862 Mattermost has a Missing Authorization vulnerability Mattermost has a Missing Authorization vulnerability Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.
ghsaosv
CVE-2026-6340P3MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-6340 [MEDIUM] CWE-789 Mattermost doesn't validate 7zip archive structure before processing Mattermost doesn't validate 7zip archive structure before processing Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory
ghsa
CVE-2024-2447P3HIGH≥ 8.1.0, < 8.1.11≥ 9.5.0, < 9.5.2+2 more2024-04-05
CVE-2024-2447 [HIGH] CWE-284 Mattermost fails to authenticate the source of certain types of post actions Mattermost fails to authenticate the source of certain types of post actions Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of certain types of post actions, allowing an authenticated attacker to create posts as other users via a crafted post action.
ghsaosv
CVE-2025-20033P4MEDIUM≥ 9.11.0, < 9.11.16≥ 10.0.0, < 10.0.4+3 more2025-01-09
CVE-2025-20033 [MEDIUM] CWE-1287 Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost Improper Validation of Specified Type of Input vulnerability Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.
ghsaosv
CVE-2023-5196P4MEDIUM≥ 8.1.0, < 8.1.1≥ 8.0.0, < 8.0.22023-09-29
CVE-2023-5196 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a notification_prop resulting in the server consuming an abnormal quantity of computing resources and possibly becoming temporarily unavailable for its users.
ghsaosv
CVE-2025-20088P3MEDIUM≥ 10.2.0, < 10.2.1≥ 10.1.0, < 10.1.4+3 more2025-01-15
CVE-2025-20088 [MEDIUM] CWE-1287 Mattermost fails to properly validate post props Mattermost fails to properly validate post props Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
ghsaosv
CVE-2025-20086P3MEDIUM≥ 10.2.0, < 10.2.1≥ 10.1.0, < 10.1.4+3 more2025-01-15
CVE-2025-20086 [MEDIUM] CWE-1287 Mattermost fails to properly validate post props Mattermost fails to properly validate post props Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
ghsaosv
CVE-2026-4915P4MEDIUM≥ 0, < 8.0.0-20260407102538-faa7d75b4ea02026-05-26
CVE-2026-4915 [MEDIUM] CWE-754 Mattermost doesn't filter nil elements from outgoing webhook attachment payloads before processing Mattermost doesn't filter nil elements from outgoing webhook attachment payloads before processing Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termina
ghsa
CVE-2024-39836P3MEDIUM≥ 9.9.0, < 9.9.2≥ 9.5.0, < 9.5.8+2 more2024-08-22
CVE-2024-39836 [MEDIUM] CWE-693 Mattermost allows remote/synthetic users to create sessions, reset passwords Mattermost allows remote/synthetic users to create sessions, reset passwords Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when
ghsaosv
CVE-2024-24988P4MEDIUM≥ 9.3.0, < 9.3.1≥ 9.2.0, < 9.2.52024-02-29
CVE-2024-24988 [MEDIUM] CWE-400 Mattermost denial of service through long emoji value Mattermost denial of service through long emoji value Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times a very long string as an emoji value causing high resource consumption and possibly crashing the server.
ghsaosv
CVE-2024-47003P4MEDIUM≥ 0, < 8.0.0-20240806094731-69a8b3df0f9f2024-09-26
CVE-2024-47003 [MEDIUM] CWE-400 Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events Mattermost does not strip `embeds` from `metadata` when broadcasting `posted` events. This allows users to include arbitrary embeds in posts, which are then broadcasted via websockets. This can be exploited in many ways, for example to create permalinks with fully customizable content or to trig
ghsaosv
CVE-2024-28053P4LOW≥ 0, < 0.0.0-20240209181221-674f549daf0e2024-03-15
CVE-2024-28053 [LOW] CWE-400 Mattermost Server Resource Exhaustion Mattermost Server Resource Exhaustion Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
ghsaosv
CVE-2024-23493P4MEDIUM≥ 9.4.0, < 9.4.2≥ 9.3.0, < 9.3.1+1 more2024-02-29
CVE-2024-23493 [MEDIUM] CWE-200 Mattermost leaks details of AD/LDAP groups of a teams Mattermost leaks details of AD/LDAP groups of a teams Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP groups of a team that they are not a member of.
ghsaosv
CVE-2026-27656P4MEDIUM≥ 8.0.0-20260105080200-d27a2195068d, < 8.0.0-20260217110922-b7d4a1f1f59b2026-03-25
CVE-2026-27656 [MEDIUM] CWE-303 Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts
ghsaosv
CVE-2024-28949P4MEDIUM≥ 8.1.0, < 8.1.11≥ 9.3.0, < 9.3.3+2 more2024-04-05
CVE-2024-28949 [MEDIUM] CWE-400 Mattermost Server doesn't limit the number of user preferences Mattermost Server doesn't limit the number of user preferences Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user preferences which allows an attacker to send a large number of user preferences potentially causing denial of service.
ghsaosv
CVE-2024-36492P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01
CVE-2024-36492 [MEDIUM] CWE-284 Mattermost failed to disallow the modification of local users when syncing users in shared channels Mattermost failed to disallow the modification of local users when syncing users in shared channels Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase