Mattermost Server vulnerabilities

389 known vulnerabilities affecting mattermost/mattermost_server.

Total CVEs

389

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL15HIGH74MEDIUM266LOW34

Vulnerabilities

Page 7 of 20

CVE-2025-25279HIGHCVSS 7.5≥ 9.11.0, < 9.11.8≥ 10.2.0, < 10.2.3+2 more2025-02-24

CVE-2025-25279 [HIGH] CWE-22 CVE-2025-25279: Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to p Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

nvd

CVE-2025-1412HIGHCVSS 8.8≥ 9.11.0, < 9.11.7≥ 10.4.0, < 10.4.22025-02-24

CVE-2025-1412 [HIGH] CWE-384 CVE-2025-1412: Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when c Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.

nvd

CVE-2025-24526MEDIUMCVSS 4.3≥ 9.11.0, < 9.11.8≥ 10.1.0, < 10.1.4+3 more2025-02-24

CVE-2025-24526 [MEDIUM] CWE-863 CVE-2025-24526: Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x < Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

nvd

CVE-2025-20051MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.8≥ 10.2.0, < 10.2.3+2 more2025-02-24

CVE-2025-20051 [MEDIUM] CWE-22 CVE-2025-20051: Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to p Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.

nvd

CVE-2025-24490MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.8≥ 10.2.0, < 10.2.3+2 more2025-02-24

CVE-2025-24490 [MEDIUM] CWE-89 CVE-2025-24490: Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to u Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.

nvd

CVE-2025-0503MEDIUMCVSS 5.3≥ 9.11.0, < 9.11.72025-02-14

CVE-2025-0503 [MEDIUM] CWE-754 CVE-2025-0503: Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.

nvd

CVE-2025-20621HIGHCVSS 7.5≥ 9.11.0, < 9.11.6≥ 10.0.0, < 10.0.4+2 more2025-01-16

CVE-2025-20621 [HIGH] CWE-1287 CVE-2025-20621: Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to p Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

nvd

CVE-2025-21088MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.6≥ 10.0.0, < 10.0.4+2 more2025-01-15

CVE-2025-21088 [MEDIUM] CWE-704 CVE-2025-21088: Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to p Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.

nvd

CVE-2025-20088MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.6≥ 10.0.0, < 10.0.4+2 more2025-01-15

CVE-2025-20088 [MEDIUM] CWE-1287 CVE-2025-20088: Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to p Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

nvd

CVE-2025-20086MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.6≥ 10.0.0, < 10.0.4+2 more2025-01-15

CVE-2025-20086 [MEDIUM] CWE-1287 CVE-2025-20086: Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to p Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.

nvd

CVE-2025-20033MEDIUMCVSS 6.5≥ 9.11.0, < 9.11.6≥ 10.0.0, < 10.0.4+2 more2025-01-09

CVE-2025-20033 [MEDIUM] CWE-1287 CVE-2025-20033: Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly va Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

nvd

CVE-2025-22445MEDIUMCVSS 5.3≥ 10.0.0, < 10.3.02025-01-09

CVE-2025-22445 [MEDIUM] CWE-754 CVE-2025-22445: Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

nvd

CVE-2025-22449LOWCVSS 3.8≥ 9.11.0, < 9.11.62025-01-09

CVE-2025-22449 [LOW] CWE-863 CVE-2025-22449: Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, w Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

nvd

CVE-2024-48872MEDIUMCVSS 4.8≥ 9.5.0, < 9.5.13≥ 9.11.0, < 9.11.5+2 more2024-12-16

CVE-2024-48872 [MEDIUM] CWE-362 CVE-2024-48872: Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail t Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requ

nvd

CVE-2024-54083MEDIUMCVSS 6.5≥ 9.5.0, < 9.5.13≥ 9.11.0, < 9.11.5+2 more2024-12-16

CVE-2024-54083 [MEDIUM] CWE-1287 CVE-2024-54083: Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to pr Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.

nvd

CVE-2024-54682MEDIUMCVSS 4.9≥ 9.5.0, < 9.5.13≥ 9.11.0, < 9.11.5+2 more2024-12-16

CVE-2024-54682 [MEDIUM] CWE-409 CVE-2024-54682: Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to li Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.

nvd

CVE-2024-12247MEDIUMCVSS 4.3≥ 9.7.0, < 9.7.6≥ 9.8.0, < 9.8.3+1 more2024-12-05

CVE-2024-12247 [MEDIUM] CWE-863 CVE-2024-12247: Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate per Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.

nvd

CVE-2024-11599MEDIUMCVSS 5.3≥ 9.5.0, < 9.5.12≥ 9.11.0, < 9.11.4+2 more2024-11-28

CVE-2024-11599 [MEDIUM] CWE-754 CVE-2024-11599: Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to pr Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.

nvd

CVE-2024-52032MEDIUMCVSS 4.3≥ 9.11.0, < 9.11.3v10.0.02024-11-09

CVE-2024-52032 [MEDIUM] CWE-200 CVE-2024-52032: Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 fail to properly query ElasticSearch when searching for the channel name in channel switcher which allows an attacker to get private channels names of channels that they are not a member of, when Elasticsearch v8 was enabled.

nvd

CVE-2024-36250MEDIUMCVSS 4.8≥ 9.5.0, < 9.5.11≥ 9.11.0, < 9.11.32024-11-09

CVE-2024-36250 [MEDIUM] CWE-303 CVE-2024-36250: Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against repla Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 fail to protect the mfa code against replay attacks, which allows an attacker to reuse the MFA code within ~30 seconds

nvd

← Previous7 / 20Next →