Lucene search
K

534 matches found

NVD
NVD
added 2026/06/22 2:17 p.m.10 views

CVE-2026-6673

Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira integration via POST to /ac/installed during the...

6.4CVSS0.00177EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 1:34 p.m.39 views

CVE-2026-5139 GitLab Plugin Allows Non-Admin Users to Modify Default Instance Configuration

Mattermost versions 11.7.x slash command.. Mattermost Advisory ID: MMSA-2026-00644...

5.4CVSS0.0017EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 5:16 p.m.32 views

CVE-2026-6739

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-i...

7.2CVSS0.00257EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 3:52 p.m.10 views

EUVD-2026-36502

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...

5.3CVSS5.2AI score0.0019EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.11 views

PT-2026-48941

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to 11.6.2 Mattermost versions prior to 11.5.5 Mattermost versions prior to 10.11.17 Description Insufficient role-management authorization occurs when setting the scheme admin flag on group syncable link and patch...

8.8CVSS5.9AI score0.00298EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/25 7:10 a.m.11 views

CVE-2026-4915 Server panic via outgoing webhook responses

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service server process termination via a crafted webhook...

6.5CVSS5.8AI score0.00277EPSS
Exploits0References1
NVD
NVD
added 2026/05/22 5:16 p.m.16 views

CVE-2026-28735

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL...

5.4CVSS0.00138EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/22 12:0 a.m.9 views

Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Vulnerabilities exist in versions of Mattermost 11.6.0 and earlier 11.6.x series, as well as versions prior to 11.5.3 11.5.x series, 11.4.4 and earlier 11.4.x series, and 10.11.14 and earlier 10.11.x...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.14 views

PT-2026-42751

Name of the Vulnerable Software and Affected Versions Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14 Description Authenticated users with file upload or posting permissions can cause a denial of service resulting in server Out of Memory O...

6.8CVSS5.8AI score0.00245EPSS
Exploits0References9
Snyk
Snyk
added 2026/05/18 11:47 a.m.6 views

Incorrect Authorization

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Incorrect Authorization via the command update API. An attacker can impersonate existing system or custom commands by editing their own slash...

5.3CVSS5.8AI score0.00152EPSS
Exploits0References2
OSV
OSV
added 2026/05/18 9:31 a.m.7 views

GHSA-JX93-PF6X-874R Mattermost doesn't escape some variables that could contain malicious content during error page composition

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

3.8CVSS5.9AI score0.00143EPSS
Exploits0References4
NVD
NVD
added 2026/05/18 9:16 a.m.49 views

CVE-2026-6333

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost...

5CVSS0.00137EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/18 8:40 a.m.6 views

CVE-2026-6345

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/15 9:31 p.m.11 views

Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via the post patch and update API endpoints...

4.3CVSS5.8AI score0.00165EPSS
Exploits0References3Affected Software1
GithubExploit
GithubExploit
added 2026/04/24 2:36 p.m.120 views

Exploit for Path Traversal in Mattermost Mattermost_Server

🔥 CVE-2025-25279 — Mattermost 10.4.1 📤 Path Traversal dan...

9.9CVSS5.3AI score0.2251EPSS
Exploits1
NVD
NVD
added 2026/04/15 11:16 a.m.36 views

CVE-2026-28741

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost...

8.1CVSS0.00129EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/15 10:11 a.m.3 views

CVE-2026-27769

Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...

2.7CVSS5.8AI score0.00167EPSS
Exploits0References2Affected Software1
SUSE CVE
SUSE CVE
added 2026/03/28 12:28 a.m.8 views

SUSE CVE-2026-25783

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586...

4.3CVSS5.9AI score0.00285EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/26 6:31 p.m.11 views

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences...

8.8CVSS5.9AI score0.00268EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/03/26 5:16 p.m.10 views

CVE-2026-3115

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint...

4.3CVSS0.00231EPSS
Exploits0References1
Rows per page
Query Builder