CVE-2021-37860 low —
2.5
5y ago
Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server
arch golang
CVE-2026-24692 unknown —
—
2mo ago
Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server
golang
CVE-2026-2455 unknown —
—
2mo ago
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server
golang
CVE-2026-22545 unknown —
—
2mo ago
Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server
golang
CVE-2026-4265 unknown —
—
2mo ago
Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server
golang
CVE-2026-21386 unknown —
—
2mo ago
Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server
golang
CVE-2026-2578 unknown —
—
2mo ago
Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server
golang
CVE-2026-2456 unknown —
—
2mo ago
Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server
golang
CVE-2026-2458 unknown —
—
2mo ago
Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server
golang
CVE-2026-2463 unknown —
—
2mo ago
Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server
golang
CVE-2026-26246 unknown —
—
2mo ago
Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server
golang
CVE-2026-24458 unknown —
—
2mo ago
Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
golang
CVE-2026-25783 unknown —
—
2mo ago
Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server
golang
CVE-2026-2457 unknown —
—
2mo ago
Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server
golang
CVE-2026-25780 unknown —
—
2mo ago
Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server
golang
CVE-2025-14573 unknown —
—
3mo ago
Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server
golang
CVE-2025-14350 unknown —
—
3mo ago
Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server
golang
CVE-2025-13821 unknown —
—
3mo ago
Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server
golang
CVE-2026-0999 unknown —
—
3mo ago
Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server
golang
CVE-2025-64641 unknown —
—
5mo ago
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server
golang
CVE-2025-13767 unknown —
—
5mo ago
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server
golang
CVE-2025-14273 unknown —
—
5mo ago
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
golang
CVE-2025-13324 unknown —
—
5mo ago
Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
golang
CVE-2025-13352 unknown —
—
5mo ago
Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost
golang
CVE-2025-62690 unknown —
—
5mo ago
Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
golang
CVE-2025-13870 unknown —
—
6mo ago
Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost
golang
CVE-2025-12756 unknown —
—
6mo ago
Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
golang
CVE-2025-12421 unknown —
—
6mo ago
Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
golang
CVE-2025-12419 unknown —
—
6mo ago
Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
golang
CVE-2025-12559 unknown —
—
6mo ago
Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
golang
CVE-2025-55074 unknown —
—
6mo ago
Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
golang
CVE-2025-11794 unknown —
—
6mo ago
Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
golang
CVE-2025-11776 unknown —
—
7mo ago
Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
golang
CVE-2025-41436 unknown —
—
7mo ago
Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
golang
CVE-2025-55073 unknown —
—
7mo ago
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
golang
CVE-2025-55070 unknown —
—
7mo ago
Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
golang
CVE-2025-11777 unknown —
—
7mo ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
golang
CVE-2025-58075 unknown —
—
7mo ago
Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-41410 unknown —
—
7mo ago
Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-54499 unknown —
—
7mo ago
Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-58073 unknown —
—
7mo ago
Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-10545 unknown —
—
7mo ago
Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-9081 unknown —
—
8mo ago
Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards
golang
CVE-2025-9079 unknown —
—
8mo ago
Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-9084 unknown —
—
8mo ago
Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-9078 unknown —
—
8mo ago
Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server
golang
CVE-2025-9072 unknown —
—
8mo ago
Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-9076 unknown —
—
8mo ago
Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-8402 unknown —
—
9mo ago
Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server
golang
CVE-2025-6465 unknown —
—
9mo ago
Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server
golang
CVE-2025-8023 unknown —
—
9mo ago
Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
golang
CVE-2025-36530 unknown —
—
9mo ago
Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
golang
CVE-2025-53971 unknown —
—
9mo ago
Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server
golang
CVE-2025-47700 unknown —
—
9mo ago
Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
golang
CVE-2025-47870 unknown —
—
9mo ago
Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server
golang
CVE-2025-49222 unknown —
—
9mo ago
Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
golang
CVE-2025-49810 unknown —
—
9mo ago
Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server
golang
CVE-2025-6233 unknown —
—
10mo ago
Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-6227 unknown —
—
10mo ago
Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server
golang
CVE-2025-6226 unknown —
—
10mo ago
Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
golang
CVE-2025-47871 unknown —
—
11mo ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-46702 unknown —
—
11mo ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-3228 unknown —
—
11mo ago
Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server
golang
CVE-2025-3227 unknown —
—
11mo ago
Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server
golang
CVE-2025-4981 unknown —
—
11mo ago
Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
golang
CVE-2025-4128 unknown —
—
1y ago
Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server
golang
CVE-2025-4573 unknown —
—
1y ago
Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server
golang
CVE-2025-1792 unknown —
—
1y ago
Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server
golang
CVE-2025-3611 unknown —
—
1y ago
Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server
golang
CVE-2025-3230 unknown —
—
1y ago
Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
golang
CVE-2025-2571 unknown —
—
1y ago
Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server
golang
CVE-2025-3913 unknown —
—
1y ago
Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server
golang
CVE-2025-2570 unknown —
—
1y ago
Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server
golang
CVE-2025-2527 unknown —
—
1y ago
Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server
golang
CVE-2025-3446 unknown —
—
1y ago
Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server
golang
CVE-2025-31947 unknown —
—
1y ago
Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
golang
CVE-2025-35965 unknown —
—
1y ago
Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
golang
CVE-2025-41423 unknown —
—
1y ago
Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks
golang
CVE-2025-41395 unknown —
—
1y ago
Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
golang
CVE-2025-2564 unknown —
—
1y ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-27936 unknown —
—
1y ago
Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
golang
CVE-2025-31363 unknown —
—
1y ago
Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server
golang
CVE-2025-27538 unknown —
—
1y ago
Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
golang
CVE-2025-27571 unknown —
—
1y ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-24839 unknown —
—
1y ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-2475 unknown —
—
1y ago
Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
golang
CVE-2025-2424 unknown —
—
1y ago
Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
golang
CVE-2025-32093 unknown —
—
1y ago
Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server
golang
CVE-2025-24866 unknown —
—
1y ago
Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server
golang
CVE-2025-30179 unknown —
—
1y ago
Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server
golang
CVE-2025-27715 unknown —
—
1y ago
Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server
golang
CVE-2025-27933 unknown —
—
1y ago
Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
golang
CVE-2025-25068 unknown —
—
1y ago
Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
golang
CVE-2025-25274 unknown —
—
1y ago
Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server
golang
CVE-2025-24920 unknown —
—
1y ago
Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server
golang
CVE-2025-1472 unknown —
—
1y ago
Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server
golang
CVE-2025-24526 unknown —
—
1y ago
Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server
golang
CVE-2025-25279 unknown —
—
1y ago
Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
golang
CVE-2025-1412 unknown —
—
1y ago
Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server
golang
CVE-2025-20051 unknown —
—
1y ago
Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
golang