cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 4 of 10
CVE-2024-39837P4LOW≥ 9.5.0, < 9.5.7≥ 9.9.0, < 9.9.1+1 more2024-08-01
CVE-2024-39837 [LOW] CWE-284 Mattermost did not properly restrict channel creation Mattermost did not properly restrict channel creation Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
ghsaosv
CVE-2025-27936P4MEDIUM≥ 10.5.0, < 10.5.2≥ 0, < 8.0.0-20250314142426-c049748b88632025-04-16
CVE-2025-27936 [MEDIUM] CWE-208 Mattermost vulnerable to Observable Timing Discrepancy Mattermost vulnerable to Observable Timing Discrepancy Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.
ghsaosv
CVE-2026-3112P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-3112 [MEDIUM] CWE-22 Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLog
ghsaosv
CVE-2025-55073P4MEDIUM≥ 0, < 8.0.0-20250929212932-a41db04d27462025-11-14
CVE-2025-55073 [MEDIUM] CWE-306 Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth re
ghsaosv
CVE-2025-6233P4MEDIUM≥ 0, < 8.0.0-20250529054450-d38c27f96fcf2025-07-18
CVE-2025-6233 [MEDIUM] CWE-22 Mattermost Path Traversal vulnerability Mattermost Path Traversal vulnerability Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
ghsaosv
CVE-2025-13821P4MEDIUM≥ 0, < 8.0.0-20251210191531-cd17b61de41b2026-02-16
CVE-2025-13821 [MEDIUM] CWE-200 Mattermost fails to sanitize sensitive data in WebSocket messages Mattermost fails to sanitize sensitive data in WebSocket messages Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560
ghsaosv
CVE-2025-3230P4MEDIUM≥ 10.7.0-rc1, < 10.7.1≥ 10.6.0-rc1, < 10.6.3+3 more2025-05-30
CVE-2025-3230 [MEDIUM] CWE-303 Mattermost fails to properly invalidate personal access tokens upon user deactivation Mattermost fails to properly invalidate personal access tokens upon user deactivation Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of pre
ghsaosv
CVE-2025-46702P4MEDIUM≥ 0, < 8.0.0-20250513065225-4ae5d647fb88≥ 9.11.0, < 9.11.16+4 more2025-06-30
CVE-2025-46702 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via th
ghsaosv
CVE-2026-4274P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-26
CVE-2026-4274 [MEDIUM] CWE-863 Mattermost has an Incorrect Authorization issue Mattermost has an Incorrect Authorization issue Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team m
ghsaosv
CVE-2023-5969P4MEDIUM≥ 8.0.0, < 8.0.4≥ 8.1.0, < 8.1.3+1 more2023-11-06
CVE-2023-5969 [MEDIUM] CWE-400 Mattermost vulnerable to excessive memory consumption Mattermost vulnerable to excessive memory consumption Mattermost fails to properly sanitize the request to `/api/v4/redirect_location` allowing an attacker, sending a specially crafted request to `/api/v4/redirect_location`, to fill up the memory due to caching large items.
ghsaosv
CVE-2025-2475P4MEDIUM≥ 10.5.0, < 10.5.2≥ 9.11.0, < 9.11.10+1 more2025-04-14
CVE-2025-2475 [MEDIUM] CWE-303 Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
ghsaosv
CVE-2025-47871P4MEDIUM≥ 0, < 8.0.0-20250513065225-4ae5d647fb88≥ 9.11.0, < 9.11.16+4 more2025-06-30
CVE-2025-47871 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display nam
ghsaosv
CVE-2026-6333P4LOW≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+1 more2026-05-18
CVE-2026-6333 [LOW] CWE-918 Mattermost doesn't validate the Host header when constructing response URLs for custom slash command Mattermost doesn't validate the Host header when constructing response URLs for custom slash command Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofe
ghsa
CVE-2025-36530P4MEDIUM≥ 0, < 8.0.0-20250619095651-9dd0b3943e552025-08-21
CVE-2025-36530 [MEDIUM] CWE-22 Mattermost Fails to Validate File Paths Mattermost Fails to Validate File Paths Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.
ghsaosv
CVE-2025-8023P4MEDIUM≥ 0, < 8.0.0-20250708065844-b38e2eccda182025-08-21
CVE-2025-8023 [MEDIUM] CWE-22 Mattermost Fails to Sanitize Path Traversal Sequences Mattermost Fails to Sanitize Path Traversal Sequences Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.
ghsaosv
CVE-2023-7113P4LOW≥ 0, < 8.1.72023-12-29
CVE-2023-7113 [LOW] CWE-79 Mattermost Cross-site Scripting vulnerability Mattermost Cross-site Scripting vulnerability Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
ghsaosv
CVE-2026-2456P4MEDIUM≥ 0, < 8.0.0-20260127165411-fe3052073dc62026-03-16
CVE-2026-2456 [MEDIUM] CWE-789 Mattermost fails to limit the size of responses from integration action endpoints Mattermost fails to limit the size of responses from integration action endpoints Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an
ghsaosv
CVE-2025-9072P4HIGH≥ 0, < 8.0.0-20250731063404-9eebaadf8f722025-09-15
CVE-2025-9072 [HIGH] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.
ghsaosv
CVE-2023-48369P4MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-48369 [MEDIUM] CWE-400 Mattermost Uncontrolled Resource Consumption vulnerability Mattermost Uncontrolled Resource Consumption vulnerability Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.
ghsaosv
CVE-2025-22445P4LOW≥ 10.0, < 10.3.0≥ 0, < 8.0.0-20250102081831-64c566a8280b2025-01-09
CVE-2025-22445 [LOW] CWE-754 Mattermost has Improper Check for Unusual or Exceptional Conditions Mattermost has Improper Check for Unusual or Exceptional Conditions Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase