CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

41 matches found

CVE-2026-13426

The Mattermost Go module github.com/mattermost/mattermost/server/public versions v0.1.22 fail to validate path parameters when constructing API route paths which allows an attacker to redirect API calls to unintended endpoints via crafted IDs containing path traversal components. Mattermost...

5.4CVSS

Exploits0References1

ATTACKERKB•added 2026/05/21 8:22 a.m.•7 views

CVE-2026-22880

Mattermost Mobile Apps versions =2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO...

6.1CVSS5.9AI score0.00117EPSS

Exploits0References2

OSV•added 2026/05/18 9:31 a.m.•10 views

GHSA-GVG4-JHMR-6J23 Mattermost doesn't check if {{team_id}} was being changed when updating playbooks

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS5.8AI score0.00143EPSS

Exploits0References4

Github Security Blog•added 2026/05/18 9:31 a.m.•8 views

Mattermost doesn't check if {{team_id}} was being changed when updating playbooks

4.3CVSS5.8AI score0.00143EPSS

Exploits0References4Affected Software2

NVD•added 2026/05/18 9:16 a.m.•18 views

CVE-2026-4286

4.3CVSS0.00143EPSS

Exploits0References1

SUSE CVE•added 2026/04/06 11:25 p.m.•1 views

SUSE CVE-2026-26233

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service server crash and restart via HTTP/2 single packet attack with 100+ parallel login requests...

6.5CVSS5.8AI score0.00305EPSS

Exploits0References3

SUSE CVE•added 2026/03/28 6:28 p.m.•4 views

SUSE CVE-2026-4265

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...

4.3CVSS5.9AI score0.00218EPSS

Exploits0References3

OSV•added 2026/03/26 6:31 p.m.•5 views

GHSA-3MW5-466Q-295Q Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration

Mattermost versions 11.4.x = 11.4.0, 11.3.x = 11.3.1, 11.2.x = 11.2.3, 10.11.x = 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost...

6.8CVSS6AI score0.00421EPSS

Exploits0References3

Vulnrichment•added 2026/03/26 4:29 p.m.•1 views

CVE-2026-3112 Arbitrary File Read via Advanced Logging Support Packet

6.8CVSS5.9AI score0.00421EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:8 p.m.•4 views

CVE-2026-2461

Mattermost Plugins versions =11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559...

4.3CVSS5.8AI score0.00162EPSS

Exploits1References1

RedhatCVE•added 2026/03/26 3:6 p.m.•3 views

CVE-2026-26304

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2 fail to verify runcreate permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542...

4.3CVSS5.8AI score0.00159EPSS

Exploits0References1

OSV•added 2026/03/16 9:34 p.m.•4 views

GHSA-4PMX-622H-X359 Mattermost fails to verify run_create permission for empty playbookId

4.3CVSS5.8AI score0.00159EPSS

Exploits0References4

NVD•added 2026/03/16 9:16 p.m.•3 views

CVE-2026-26230

Mattermost versions 10.11.x = 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531...

3.8CVSS0.00159EPSS

Exploits0References1

Vulnrichment•added 2026/03/16 8:10 p.m.•2 views

CVE-2026-2454 DoS in Calls plugin via malformed msgpack in websocket request.

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID:...

5.8CVSS5.8AI score0.00274EPSS

Exploits0References1

EUVD•added 2026/03/16 3:30 p.m.•2 views

EUVD-2026-12443

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554...

4.3CVSS5.8AI score0.00165EPSS

Exploits0References2

OSV•added 2026/03/16 3:30 p.m.•4 views

GHSA-HF8W-X9H5-5GF9 Mattermost Boards Plugin fails to implement authorisation checks on comment block modifications

4.3CVSS5.8AI score0.00162EPSS

Exploits1References4

OSV•added 2026/03/16 3:16 p.m.•4 views

CVE-2026-24692

4.3CVSS5.9AI score

Exploits0References1

Cvelist•added 2026/03/16 11:13 a.m.•24 views

CVE-2026-2463 Unauthorized access to invite ID during team creation

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID:...

4.3CVSS0.0017EPSS

Exploits0References1