Filtered by vendor Mattermost
Subscriptions
Filtered by product Mattermost
Subscriptions
Total
242 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9079 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-26 | 8 High |
| Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory | ||||
| CVE-2025-58075 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-26 | 8.1 High |
| Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState | ||||
| CVE-2025-58073 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-26 | 8.1 High |
| Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state. | ||||
| CVE-2025-12419 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-26 | 9.9 Critical |
| Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost. | ||||
| CVE-2025-12421 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-26 | 9.9 Critical |
| Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled). | ||||
| CVE-2025-13821 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-18 | 5.7 Medium |
| Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560 | ||||
| CVE-2025-14350 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-18 | 4.3 Medium |
| Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563 | ||||
| CVE-2025-14573 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-02-18 | 3.8 Low |
| Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561 | ||||
| CVE-2025-59480 | 1 Mattermost | 2 Mattermost, Mattermost Mobile | 2026-01-21 | 6.1 Medium |
| Mattermost Mobile Apps versions <=2.32.0 fail to verify that SSO redirect tokens originate from the trusted server, which allows a malicious Mattermost instance or on-path attacker to obtain user session credentials via crafted token-in-URL responses | ||||
| CVE-2025-14822 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-01-20 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | ||||
| CVE-2025-14435 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-01-20 | 6.8 Medium |
| Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | ||||
| CVE-2025-13767 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-31 | 4.3 Medium |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. | ||||
| CVE-2025-64641 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-31 | 4.1 Medium |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts | ||||
| CVE-2025-62690 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 3.1 Low |
| Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to a malicious site via a crafted link opened in a new tab. | ||||
| CVE-2025-62190 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 4.3 Medium |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link | ||||
| CVE-2025-13352 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 3 Low |
| Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. | ||||
| CVE-2025-14273 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 7.2 High |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 | ||||
| CVE-2025-13324 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 3.7 Low |
| Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed. | ||||
| CVE-2025-12689 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-12-29 | 6.5 Medium |
| Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | ||||
| CVE-2025-13326 | 1 Mattermost | 2 Mattermost, Mattermost Desktop | 2025-12-18 | 3.9 Low |
| Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder. | ||||