cbcvebase.

Github.Com Mattermost Mattermost Server V8 vulnerabilities

199 known vulnerabilities affecting github.com/mattermost_mattermost_server_v8.

Total CVEs
199
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH15MEDIUM129LOW48

Vulnerabilities

Page 5 of 10
CVE-2025-11794P4MEDIUM≥ 0, < 8.0.0-20250929212932-a41db04d27462025-11-14
CVE-2025-11794 [MEDIUM] CWE-200 Mattermost allows system administrators to access password hashes and MFA secrets Mattermost allows system administrators to access password hashes and MFA secrets Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint
ghsaosv
CVE-2025-9084P4LOW≥ 0, < 8.0.0-202508080704-39bd251fe4f6002025-09-15
CVE-2025-9084 [LOW] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs.
ghsaosv
CVE-2025-62690P4LOW≥ 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20251016131338-dad6bd7a15092025-12-17
CVE-2025-62690 [LOW] CWE-601 Mattermost has missing redirect URL validation Mattermost has missing redirect URL validation Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab.
ghsaosv
CVE-2025-31947P4MEDIUM≥ 10.6.0, < 10.6.2≥ 10.5.0, < 10.5.3+3 more2025-05-15
CVE-2025-31947 [MEDIUM] CWE-645 Mattermost Fails to Lockout LDAP Users After Repeated Login Failures Mattermost Fails to Lockout LDAP Users After Repeated Login Failures Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.
ghsaosv
CVE-2025-6465P4MEDIUM≥ 0, < 8.0.0-20250708173752-d6b35c41f0ae52025-08-21
CVE-2025-6465 [MEDIUM] CWE-22 Mattermost Fails to Sanitize File Names Mattermost Fails to Sanitize File Names Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
ghsaosv
CVE-2023-6459P4MEDIUM≥ 0, < 8.1.52023-12-06
CVE-2023-6459 [MEDIUM] CWE-200 Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability Mattermost Exposure of Sensitive Information to an Unauthorized Actor vulnerability Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
ghsaosv
CVE-2023-5195P4MEDIUM≥ 8.1.0, < 8.1.1≥ 8.0.0, < 8.0.22023-09-29
CVE-2023-5195 [MEDIUM] CWE-863 Mattermost Incorrect Authorization vulnerability Mattermost Incorrect Authorization vulnerability Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they are not part of
ghsaosv
CVE-2024-42497P4HIGH≥ 9.5.0, < 9.5.8≥ 9.10.0, < 9.10.1+2 more2024-08-22
CVE-2024-42497 [HIGH] CWE-284 Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams
ghsaosv
CVE-2025-8402P4MEDIUM≥ 0, < 8.0.0-20250708173752-d6b35c41f0ae52025-08-21
CVE-2025-8402 [MEDIUM] CWE-476 Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost has Potential Server Crash due to Unvalidated Import Data Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
ghsaosv
CVE-2024-29977P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.9.0, < 9.9.12024-08-01
CVE-2024-29977 [MEDIUM] CWE-284 Mattermost failed to properly validate synced reactions Mattermost failed to properly validate synced reactions Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts
ghsaosv
CVE-2025-32093P4MEDIUM≥ 10.5.0, < 10.5.2≥ 10.4.0, < 10.4.4+2 more2025-04-14
CVE-2025-32093 [MEDIUM] CWE-863 Mattermost Fails to Restrict Certain Operations on System Admins Mattermost Fails to Restrict Certain Operations on System Admins Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission val
ghsaosv
CVE-2025-11776P4MEDIUM≥ 0, < 8.0.0-20250815165020-c8d66301415d2025-11-14
CVE-2025-11776 [MEDIUM] CWE-863 Mattermost fails to properly restrict access to archived channel search API Mattermost fails to properly restrict access to archived channel search API Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
ghsaosv
CVE-2026-3637P4MEDIUM≥ 10.11.0, < 10.11.14≥ 11.4.0, < 11.4.4+2 more2026-05-18
CVE-2026-3637 [MEDIUM] CWE-862 Mattermost doesn't check the create_post channel permission during post edit operations Mattermost doesn't check the create_post channel permission during post edit operations Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post u
ghsa
CVE-2026-28732P4MEDIUM≥ 11.5.0, < 11.5.2≥ 10.11.0, < 10.11.14+2 more2026-05-18
CVE-2026-28732 [MEDIUM] CWE-863 Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Mattermost doesn't enforce slash command trigger-word uniqueness during command updates Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom sl
ghsa
CVE-2026-27659P4MEDIUM≥ 11.4.0-rc1, < 11.4.1≥ 11.3.0-rc1, < 11.3.2+3 more2026-03-25
CVE-2026-27659 [MEDIUM] CWE-352 Mattermost doesn't properly validate CSRF tokens Mattermost doesn't properly validate CSRF tokens Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a crafted request. Mattermost Advisory ID: MMSA-2026-00578
ghsaosv
CVE-2023-47168P4MEDIUM≥ 9.1.0, < 9.1.1≥ 9.0.0, < 9.0.2+1 more2023-11-27
CVE-2023-47168 [MEDIUM] CWE-601 Mattermost Open Redirect vulnerability Mattermost Open Redirect vulnerability Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=
ghsaosv
CVE-2023-35075P4LOW≥ 0, < 8.1.42023-11-27
CVE-2023-35075 [LOW] CWE-74 Mattermost Injection vulnerability Mattermost Injection vulnerability Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.
ghsaosv
CVE-2024-39839P4MEDIUM≥ 9.5.0, < 9.5.7≥ 9.7.0, < 9.7.6+2 more2024-08-01
CVE-2024-39839 [MEDIUM] CWE-284 Mattermost allows a user on a remote to set their remote username prop to an arbitrary string Mattermost allows a user on a remote to set their remote username prop to an arbitrary string Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be
ghsaosv
CVE-2024-50052P4MEDIUM≥ 0, < 8.0.0-20240926115259-20ed58906adc2024-10-29
CVE-2024-50052 [MEDIUM] CWE-862 Mattermost server allows authenticated user to delete arbitrary post Mattermost server allows authenticated user to delete arbitrary post Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post.
ghsaosv
CVE-2026-4265P4MEDIUM≥ 0, < 8.0.0-20260107144005-c7f6efdfb0352026-03-16
CVE-2026-4265 [MEDIUM] CWE-863 Mattermost fails to validate team-specific upload_file permissions Mattermost fails to validate team-specific upload_file permissions Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a di
ghsaosv
Github.Com Mattermost Mattermost Server V8 vulnerabilities | cvebase