Lucene search
K

27 matches found

OSV
OSV
added 2026/05/18 9:31 a.m.14 views

GHSA-GVG4-JHMR-6J23 Mattermost doesn't check if {{team_id}} was being changed when updating playbooks

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS5.8AI score0.00143EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 a.m.11 views

Mattermost doesn't check if {{team_id}} was being changed when updating playbooks

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

4.3CVSS5.8AI score0.00143EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/05/18 9:16 a.m.19 views

CVE-2026-4286

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

4.3CVSS0.00143EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/04/06 11:25 p.m.4 views

SUSE CVE-2026-26233

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

6.5CVSS5.8AI score0.00305EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/03/28 6:28 p.m.4 views

SUSE CVE-2026-4265

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...

4.3CVSS5.9AI score0.00218EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/26 4:29 p.m.1 views

CVE-2026-3112 Arbitrary File Read via Advanced Logging Support Packet

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost...

6.8CVSS5.9AI score0.00421EPSS
Exploits0References1
OSV
OSV
added 2026/03/16 9:34 p.m.4 views

GHSA-4PMX-622H-X359 Mattermost fails to verify run_create permission for empty playbookId

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2 fail to verify runcreate permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542...

4.3CVSS5.8AI score0.00159EPSS
Exploits0References4
NVD
NVD
added 2026/03/16 9:16 p.m.4 views

CVE-2026-26230

Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...

3.8CVSS0.00159EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/16 8:10 p.m.2 views

CVE-2026-2454 DoS in Calls plugin via malformed msgpack in websocket request.

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID:...

5.8CVSS5.8AI score0.00274EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/16 3:30 p.m.4 views

EUVD-2026-12443

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554...

4.3CVSS5.8AI score0.00165EPSS
Exploits0References2
OSV
OSV
added 2026/03/16 3:30 p.m.4 views

GHSA-HF8W-X9H5-5GF9 Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications

Mattermost Plugins versions =11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559...

4.3CVSS5.8AI score0.00162EPSS
Exploits1References4
OSV
OSV
added 2026/03/16 2:56 p.m.5 views

CVE-2026-24692 Guest users can bypass read permissions via search API

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554...

4.3CVSS6.2AI score0.00165EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/16 11:13 a.m.25 views

CVE-2026-2463 Unauthorized access to invite ID during team creation

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID:...

4.3CVSS0.0017EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.2 views

PT-2026-25685

Mattermost Plugins versions =11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559...

4.3CVSS5.8AI score0.00162EPSS
Exploits1References8
SUSE CVE
SUSE CVE
added 2026/03/11 5:28 p.m.5 views

SUSE CVE-2025-14573

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

3.8CVSS5.8AI score0.00157EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/03/04 12:29 a.m.10 views

SUSE CVE-2026-22892

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have acce...

4.3CVSS5.8AI score0.00239EPSS
Exploits0References3
OSV
OSV
added 2026/02/16 3:32 p.m.2 views

GHSA-CGJG-P2M2-QM4P Mattermost fails to enforce invite permissions when updating team settings

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

3.8CVSS5.9AI score0.00157EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/16 3:32 p.m.4 views

Mattermost fails to enforce invite permissions when updating team settings

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

3.8CVSS5.5AI score0.00157EPSS
Exploits0References4Affected Software2
OSV
OSV
added 2026/02/16 12:30 p.m.6 views

GHSA-W65C-FVP5-FVC5 Mattermost Plugin Zoom fail to validate user identity and post ownership in the {{/api/v1/askPMI}} endpoint

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 and Mattermost Plugin Zoom versions =1.11.0 fail to validate user identity and post ownership in the /api/v1/askPMI endpoint which allows unauthorized users to start Zoom meetings as any user and overwrite arbitrary posts via...

4.3CVSS5.7AI score0.00152EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/16 12:30 p.m.7 views

Mattermost fails to properly validate login method restrictions

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548...

5.4CVSS5.5AI score0.00172EPSS
Exploits0References4Affected Software2
Rows per page
Query Builder