67 matches found
CVE-2026-4339 SSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP server
Mattermost versions 10.11.x = 10.11.18, 11.6.x = 11.6.3, 11.5.x = 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in stdio mode to perform server-side request forgery SS...
CVE-2026-4339
Mattermost CPT: CVE-2026-4339 affects Mattermost versions 10.11.x up to 10.11.18, 11.6.x up to 11.6.3, and 11.5.x up to 11.5.6. The vulnerability arises from the Agents plugin MCP server failing to validate attachment URLs against internal/private IP ranges, enabling an attacker with MCP stdio ac...
CVE-2026-9699 Mattermost Agents plugin logs unsanitized OpenAI API keys on authentication errors
Mattermost Plugins versions =11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries...
SUSE CVE-2025-55074
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
EUVD-2025-198045
Mattermost allows other users to determine when users had read channels via channel member objects...
Incorrect Default Permissions
Overview Affected versions of this package are vulnerable to Incorrect Default Permissions via the Agents plugin process. An attacker can access information about when users have read channels by querying channel member objects. Remediation Upgrade...
Mattermost allows other users to determine when users had read channels via channel member objects
Mattermost versions 10.11.x = 10.11.3, and 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
GHSA-9HH7-6558-QFP2 Mattermost allows other users to determine when users had read channels via channel member objects
Mattermost versions 10.11.x = 10.11.3, and 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074 Channel member objects leak read status
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074
Mattermost server (versions 10.11.x <= 10.11.3 and 10.5.x
CVE-2025-55074 Channel member objects leak read status
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
CVE-2025-55074 Channel member objects leak read status
Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
PT-2025-47329
Name of the Vulnerable Software and Affected Versions Mattermost versions 10.5.x through 10.5.11 Mattermost versions 10.11.x through 10.11.3 Description The Mattermost application does not properly enforce access permissions within the Agents plugin. This allows other users to determine when user...
EUVD-2025-25431
Malicious code in bioql PyPI...
EUVD-2022-4585
Malicious code in bioql PyPI...
EUVD-2022-2189
Malicious code in bioql PyPI...
EUVD-2023-1608
Malicious code in bioql PyPI...
GO-2025-3906 Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server
Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server...