Lucene search
K

4 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/22 4:26 p.m.6 views

CVE-2026-28735

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/18 8:11 a.m.55 views

CVE-2026-5163 Missing authorization check in AI message rewrite endpoint allows access to private thread content

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

6.5CVSS0.00205EPSS
Exploits0References1
CVE
CVE
added 2026/05/18 8:11 a.m.31 views

CVE-2026-5163

Mattermost 11.5.x prior to 11.5.2 (up to 11.5.1 affected) fails to verify channel membership when processing AI-assisted message rewrites, allowing an authenticated user to read content from threads in private channels and direct messages they should not access via a crafted request to the post r...

6.5CVSS5.8AI score0.00205EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/18 8:7 a.m.45 views

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS0.00143EPSS
Exploits0References1
Rows per page
Query Builder