20 matches found
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the integration action URL process. An attacker can execute arbitrary API calls with system administrator privileges by exploiting path traversal in the integration action URL when authenticated with a...
CVE-2026-4858 Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action...
EUVD-2026-31242
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action...
CVE-2026-4858 Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action...
CVE-2026-4858
Mattermost CVE-2026-4858 affects versions 11.6.x, 11.5.x, 11.4.x and 10.11.x where the integration action URL does not properly validate path traversal. This allows a malicious authenticated user to call an arbitrary API using the system admin Mattermost token by exploiting the path traversal in ...
PT-2026-42439
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action...
CVE-2026-4302
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...
EUVD-2026-13980
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...
CVE-2026-4302
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...
CVE-2026-4302
The WowOptin: Next-Gen Popup Maker plugin for WordPress is affected by Server-Side Request Forgery (SSRF) in versions up to and including 1.4.29. The vulnerability stems from a publicly accessible REST API endpoint (optn/v1/integration-action) that uses a permissive permission_callback (__return_...
CVE-2026-4302 WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint optn/v1/integration-action with a permissioncallback of returntrue that...
EUVD-2026-12383
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that return...
CVE-2026-2456
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that return...
EUVD-2024-3042
Malicious code in bioql PyPI...
Missing Authorization
Mattermost is vulnerable to Missing Authorization. The vulnerability is due to a failure to check that the origin of the message in an integration action matches the original post metadata, which allows an authenticated user to delete an arbitrary post...
Mattermost Server 9.5.x < 9.5.9 / 9.10.x < 9.10.2 / 9.11.x < 9.11.1 Multiple Vulnerabilities
The version of Mattermost Server installed on the remote host is prior to 9.5.9, 9.10.2, or 9.11.1. It is, therefore, affected by multiple vulnerabilities. - Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to sanitize user inputs in the frontend that are used for...
Mattermost server allows authenticated user to delete arbitrary post
Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post...
GHSA-G376-M3H3-MJ4R Mattermost server allows authenticated user to delete arbitrary post
Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post...
CVE-2024-50052
Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post...
CVE-2024-50052
CVE-2024-50052 affects Mattermost versions 9.5.x, 9.10.x, and 9.11.x up to the indicated patch levels, where an authentication-validated integration action fails to verify that the origin of the message matches the original post metadata. This allows an authenticated user to delete an arbitrary p...