Lucene search
K

13 matches found

Vulnrichment
Vulnrichment
added 2026/05/18 6:58 a.m.13 views

CVE-2026-3495 Unescaped variables during error page composition

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

3.8CVSS5.9AI score0.00143EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/25 6:31 p.m.46 views

EUVD-2026-15806

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

4.6CVSS5.8AI score0.00123EPSS
Exploits0References2
CVE
CVE
added 2026/03/16 8:19 p.m.16 views

CVE-2026-26230

Mattermost: Affected software is Mattermost 10.11.x up to 10.11.10. The issue arises from improper validation of permission requirements in the team member roles API endpoint, enabling a team administrator to demote members to the guest role. Root cause is insufficient permission checks in that e...

3.8CVSS5.8AI score0.00159EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/16 2:54 p.m.5 views

CVE-2026-22545

Mattermost versions 10.11.x = 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID:...

3.1CVSS5.8AI score0.00148EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/03/16 12:4 p.m.27 views

CVE-2026-25783 Denial of service via malformed User-Agent header in getBrowserVersion

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586...

4.3CVSS0.00285EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/16 11:13 a.m.25 views

CVE-2026-2463 Unauthorized access to invite ID during team creation

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID:...

4.3CVSS0.0017EPSS
Exploits0References1
CVE
CVE
added 2026/03/16 11:6 a.m.29 views

CVE-2026-2456

Mattermost is affected by CVE-2026-2456 due to an unbounded memory allocation when handling responses from integration action endpoints. A authenticated attacker can cause server memory exhaustion and a denial of service by having a malicious integration server return an arbitrarily large respons...

5.7CVSS5.8AI score0.00165EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/16 12:0 a.m.12 views

PT-2026-8341

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.9 Description Mattermost versions 10.11.x up to and including 10.11.9 do not properly enforce invite permissions when team settings are updated. This allows team administrators lacking the necessary...

9.9CVSS5.1AI score0.27661EPSS
Exploits45References113
RedhatCVE
RedhatCVE
added 2025/12/18 12:40 p.m.21 views

CVE-2025-13352

Mattermost versions 10.11.x = 10.11.6 and Mattermost GitHub plugin versions =2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts...

3CVSS7AI score0.00145EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/17 3:34 p.m.4 views

EUVD-2025-203891

Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection...

3CVSS6.6AI score0.00145EPSS
Exploits0References4
NVD
NVD
added 2025/12/17 1:15 p.m.5 views

CVE-2025-13352

Mattermost versions 10.11.x = 10.11.6 and Mattermost GitHub plugin versions =2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts...

3CVSS0.00145EPSS
Exploits0References1
OSV
OSV
added 2025/12/17 1:15 p.m.5 views

CVE-2025-13352

Mattermost versions 10.11.x = 10.11.6 and Mattermost GitHub plugin versions =2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts...

3CVSS6.9AI score
Exploits0References1
Cvelist
Cvelist
added 2025/10/16 8:24 a.m.8 views

CVE-2025-10545 Guest user can add unauthorized team users to private channels

Mattermost versions 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the /api/v4/channels/channelid/members endpoint...

3.1CVSS0.00306EPSS
Exploits0References1
Rows per page
Query Builder