| CVE-2026-6346 |
high |
8.7 |
8.7 |
|
|
|
17d ago |
Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation |
| CVE-2026-6347 |
high |
7.6 |
7.6 |
|
|
|
17d ago |
Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin |
| CVE-2026-6345 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't prevent disclosure of created user password |
| CVE-2026-5163 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't verify channel membership when processing AI-assisted message rewrites |
| CVE-2026-6340 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't validate 7zip archive structure before processing |
| CVE-2026-2325 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Mattermost doesn't limit the size of the request body on the start meeting API endpoint |
| CVE-2026-4054 |
medium |
6.5 |
6.5 |
|
|
|
19d ago |
Mattermost doesn't validate the response body of proxied images |
| CVE-2026-3590 |
medium |
— |
5.5 |
|
|
|
2mo ago |
Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement |
| CVE-2026-6333 |
medium |
5.0 |
5.0 |
|
|
|
17d ago |
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command |
| CVE-2026-3495 |
medium |
4.8 |
4.8 |
|
|
|
17d ago |
Mattermost doesn't escape some variables that could contain malicious content during error page composition |
| CVE-2026-6339 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint |
| CVE-2026-28732 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't enforce slash command trigger-word uniqueness during command updates |
| CVE-2026-4273 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation |
| CVE-2026-3637 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost doesn't check the create_post channel permission during post edit operations |
| CVE-2026-28759 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Mattermost does not verify remote cluster channel access when processing shared channel membership removals |
| CVE-2026-4053 |
medium |
4.3 |
4.3 |
|
|
|
19d ago |
Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields |
| CVE-2026-6334 |
low |
3.8 |
3.8 |
|
|
|
17d ago |
Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow |
| CVE-2026-27769 |
low |
— |
2.5 |
|
|
|
2mo ago |
Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace |
| CVE-2021-37860 |
low |
— |
2.5 |
|
|
|
5y ago |
Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server |
| CVE-2026-3113 |
unknown |
— |
— |
|
|
|
2mo ago |
Mattermost doesn't set permissions on downloaded bulk export |
| CVE-2026-27656 |
unknown |
— |
— |
|
|
|
2mo ago |
Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw |
| CVE-2026-26233 |
unknown |
— |
— |
|
|
|
2mo ago |
Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server |
| CVE-2026-22545 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server |
| CVE-2026-2455 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server |
| CVE-2026-24692 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server |
| CVE-2026-21386 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server |
| CVE-2026-4265 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server |
| CVE-2026-2456 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server |
| CVE-2026-2463 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server |
| CVE-2026-2578 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server |
| CVE-2026-2458 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server |
| CVE-2026-25783 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server |
| CVE-2026-26246 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server |
| CVE-2026-2457 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server |
| CVE-2026-25780 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server |
| CVE-2026-24458 |
unknown |
— |
— |
|
|
|
3mo ago |
Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server |
| CVE-2025-14350 |
unknown |
— |
— |
|
|
|
4mo ago |
Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server |
| CVE-2025-14573 |
unknown |
— |
— |
|
|
|
4mo ago |
Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server |
| CVE-2025-13821 |
unknown |
— |
— |
|
|
|
4mo ago |
Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server |
| CVE-2026-0999 |
unknown |
— |
— |
|
|
|
4mo ago |
Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server |
| CVE-2026-22892 |
unknown |
— |
— |
|
|
|
4mo ago |
Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server |
| CVE-2026-20796 |
unknown |
— |
— |
|
|
|
4mo ago |
Mattermost doesn't properly validate channel membership at the time of data retrieval in github.com/mattermost/mattermost-server |
| CVE-2025-14435 |
unknown |
— |
— |
|
|
|
5mo ago |
Mattermost is vulnerable to DoS due to infinite re-renders on API errors in github.com/mattermost/mattermost-server |
| CVE-2025-14822 |
unknown |
— |
— |
|
|
|
5mo ago |
Mattermost is vulnerable to CPU exhaustion via crafted HTTP request in github.com/mattermost/mattermost-server |
| CVE-2025-13767 |
unknown |
— |
— |
|
|
|
5mo ago |
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server |
| CVE-2025-64641 |
unknown |
— |
— |
|
|
|
5mo ago |
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server |
| CVE-2025-14273 |
unknown |
— |
— |
|
|
|
5mo ago |
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira |
| CVE-2025-13324 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost |
| CVE-2025-62690 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost has missing redirect URL validation in github.com/mattermost/mattermost |
| CVE-2025-13352 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost |
| CVE-2017-18870 |
unknown |
— |
— |
|
|
|
6mo ago |
CVE-2017-18870 in github.com/mattermost/mattermost-server |
| CVE-2025-13870 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost |
| CVE-2025-12756 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost |
| CVE-2025-12421 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server |
| CVE-2025-12559 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server |
| CVE-2025-12419 |
unknown |
— |
— |
|
|
|
6mo ago |
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server |
| CVE-2025-55074 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server |
| CVE-2025-11794 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server |
| CVE-2025-55073 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server |
| CVE-2025-41436 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server |
| CVE-2025-11776 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost |
| CVE-2025-55070 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server |
| CVE-2025-11777 |
unknown |
— |
— |
|
|
|
7mo ago |
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost |
| CVE-2025-58073 |
unknown |
— |
— |
|
|
|
8mo ago |
Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-54499 |
unknown |
— |
— |
|
|
|
8mo ago |
Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-58075 |
unknown |
— |
— |
|
|
|
8mo ago |
Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-41443 |
unknown |
— |
— |
|
|
|
8mo ago |
Guest user can discover active public channels in github.com/mattermost/mattermost-server |
| CVE-2025-41410 |
unknown |
— |
— |
|
|
|
8mo ago |
Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-10545 |
unknown |
— |
— |
|
|
|
8mo ago |
Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-9079 |
unknown |
— |
— |
|
|
|
9mo ago |
Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-9081 |
unknown |
— |
— |
|
|
|
9mo ago |
Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards |
| CVE-2025-9084 |
unknown |
— |
— |
|
|
|
9mo ago |
Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-9072 |
unknown |
— |
— |
|
|
|
9mo ago |
Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-9078 |
unknown |
— |
— |
|
|
|
9mo ago |
Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server |
| CVE-2025-9076 |
unknown |
— |
— |
|
|
|
9mo ago |
Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-8402 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server |
| CVE-2025-6465 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server |
| CVE-2025-8023 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server |
| CVE-2025-47870 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server |
| CVE-2025-49222 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server |
| CVE-2025-53971 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server |
| CVE-2025-36530 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server |
| CVE-2025-49810 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server |
| CVE-2025-47700 |
unknown |
— |
— |
|
|
|
10mo ago |
Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server |
| CVE-2025-6233 |
unknown |
— |
— |
|
|
|
11mo ago |
Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-6227 |
unknown |
— |
— |
|
|
|
11mo ago |
Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server |
| CVE-2025-6226 |
unknown |
— |
— |
|
|
|
11mo ago |
Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server |
| CVE-2025-46702 |
unknown |
— |
— |
|
|
|
11mo ago |
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-47871 |
unknown |
— |
— |
|
|
|
11mo ago |
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server |
| CVE-2025-3227 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server |
| CVE-2025-3228 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server |
| CVE-2025-4981 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server |
| CVE-2025-4128 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server |
| CVE-2025-4573 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server |
| CVE-2025-3611 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server |
| CVE-2025-3230 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server |
| CVE-2025-2571 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server |
| CVE-2025-1792 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server |
| CVE-2025-3913 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server |
| CVE-2025-2570 |
unknown |
— |
— |
|
|
|
1y ago |
Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server |
