| CVE-2026-6345 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't prevent disclosure of created user password |
| CVE-2026-5163 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't verify channel membership when processing AI-assisted message rewrites |
| CVE-2026-6340 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't validate 7zip archive structure before processing |
| CVE-2026-28741 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Mattermost doesn't validate CSRF tokens on an authentication endpoint |
| CVE-2026-3590 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement |
| CVE-2026-6333 |
medium |
5.0 |
5.0 |
|
|
|
17d ago |
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command |
| CVE-2026-3495 |
medium |
4.8 |
4.8 |
|
|
|
17d ago |
Mattermost doesn't escape some variables that could contain malicious content during error page composition |
| CVE-2026-6343 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't check public/private permissions |
| CVE-2026-6339 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint |
| CVE-2026-4286 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't check if {{team_id}} was being changed when updating playbooks |
| CVE-2026-28732 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates |
| CVE-2026-4273 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation |
| CVE-2026-3637 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't check the create_post channel permission during post edit operations |
| CVE-2026-28759 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost does not verify remote cluster channel access when processing shared channel membership removals |
