Filtered by vendor Mattermost
Subscribe
Total
499 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41443 | 1 Mattermost | 1 Mattermost Server | 2025-10-29 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint
|
|||||
| CVE-2025-10545 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 3.1 LOW |
|
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint
|
|||||
| CVE-2025-41410 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 5.4 MEDIUM |
|
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions
|
|||||
| CVE-2025-54499 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 3.1 LOW |
|
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets
|
|||||
| CVE-2025-58073 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 8.1 HIGH |
|
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.
|
|||||
| CVE-2025-58075 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 8.1 HIGH |
|
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState
|
|||||
| CVE-2025-3230 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 5.4 MEDIUM |
|
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.
|
|||||
| CVE-2025-2571 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 4.2 MEDIUM |
|
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.
|
|||||
| CVE-2025-1792 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 3.1 LOW |
|
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.
|
|||||
| CVE-2024-48872 | 1 Mattermost | 1 Mattermost Server | 2025-10-15 | N/A | 4.8 MEDIUM |
|
Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests
|
|||||
| CVE-2025-6227 | 1 Mattermost | 1 Mattermost Server | 2025-10-14 | N/A | 2.2 LOW |
|
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.
|
|||||
| CVE-2025-31947 | 1 Mattermost | 1 Mattermost Server | 2025-10-06 | N/A | 5.8 MEDIUM |
|
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Mattermost.
|
|||||
| CVE-2025-2570 | 1 Mattermost | 1 Mattermost Server | 2025-10-06 | N/A | 2.7 LOW |
|
Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.
|
|||||
| CVE-2025-3913 | 1 Mattermost | 1 Mattermost Server | 2025-10-03 | N/A | 5.3 MEDIUM |
|
Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint.
|
|||||
| CVE-2025-6465 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.
|
|||||
| CVE-2025-6233 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 6.8 MEDIUM |
|
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.
|
|||||
| CVE-2025-6226 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.
|
|||||
| CVE-2025-25279 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 9.9 CRITICAL |
|
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.
|
|||||
| CVE-2025-20033 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.
|
|||||
| CVE-2025-22445 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 3.5 LOW |
|
Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.
|
|||||
| CVE-2025-32093 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 4.7 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the "Edit Other Users" permission to perform unauthorized modifications to system administrators via improper permission validation.
|
|||||
| CVE-2025-2475 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 5.4 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a bot which allows an attacker to login to the bot exactly one time via normal credentials.
|
|||||
| CVE-2025-24839 | 1 Mattermost | 1 Mattermost Server | 2025-10-02 | N/A | 3.1 LOW |
|
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override property to a post via the Wrangler plugin, provided both the AI and Wrangler plugins are enabled.
|
|||||
| CVE-2025-8402 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.9 MEDIUM |
|
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
|
|||||
| CVE-2025-41395 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of service (DoS) of the web app for all users.
|
|||||
| CVE-2024-11599 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 8.2 HIGH |
|
Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.
|
|||||
| CVE-2024-12247 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.6 MEDIUM |
|
Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated.
|
|||||
| CVE-2025-20088 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
|
|||||
| CVE-2025-27571 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.
|
|||||
| CVE-2025-27538 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 2.2 LOW |
|
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate MFA for other users, even if those users have not set up MFA.
|
|||||
| CVE-2025-2424 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 3.1 LOW |
|
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation.
|
|||||
| CVE-2025-24866 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 2.7 LOW |
|
Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.
|
|||||
| CVE-2025-1472 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.
|
|||||
| CVE-2025-24526 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it
|
|||||
| CVE-2025-24490 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 9.6 CRITICAL |
|
Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.
|
|||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 3.1 LOW |
|
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
|
|||||
| CVE-2025-20621 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.
|
|||||
| CVE-2024-10241 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 4.3 MEDIUM |
|
Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.
|
|||||
| CVE-2025-21088 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input.
|
|||||
| CVE-2025-20086 | 1 Mattermost | 1 Mattermost Server | 2025-09-30 | N/A | 6.5 MEDIUM |
|
Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
|
|||||