Lucene search
K

80 matches found

CVE
CVE
added 2026/06/22 1:40 p.m.20 views

CVE-2026-6062

CVE-2026-6062 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, and 10.11.x ≤ 10.11.17. The issue is a logic flaw where the system fails to validate channel ownership of an existing subscription before applying edits, enabling an authenticated attacker to hijack subsc...

6.4CVSS5.9AI score0.00153EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/06/22 1:36 p.m.11 views

CVE-2026-9162

Mattermost vulnerability CVE-2026-9162 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, 10.11.x ≤ 10.11.17. The issue: global session revocation does not invalidate cached authentication state for active WebSocket connections, allowing a user with an existing WebSock...

4.3CVSS5.9AI score0.00202EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/15 1:55 p.m.10 views

CVE-2026-6517 Mattermost Desktop App fails to restrict the allow list of domains which NTLM credentials are passed

Mattermost Desktop App versions =6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via embedding an image that...

6.3CVSS5.2AI score0.00187EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.11 views

PT-2026-49238

Name of the Vulnerable Software and Affected Versions Mattermost Desktop App versions prior to 6.1 Mattermost Desktop App version 5.5.13.0 Description The application fails to restrict the allow list of domains for NTLM credential forwarding. This allows a user on a server where the image proxy i...

7.7CVSS5.9AI score0.00187EPSS
Exploits0References6
NVD
NVD
added 2026/06/12 5:16 p.m.15 views

CVE-2026-3433

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to restrict roleupdated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change...

4.3CVSS0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 3:54 p.m.9 views

CVE-2026-7387 Mattermost group syncable endpoints allow privilege escalation via scheme_admin

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 Mattermost fails to require role-management authorization when setting the schemeadmin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselv...

8.8CVSS5.3AI score0.00298EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 3:51 p.m.9 views

EUVD-2026-36501

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation the check was only applied on update/patch, which allows an authenticated user holding...

4.3CVSS5.3AI score0.00152EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-48936

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to 11.6.2 Mattermost versions prior to 11.5.5 Mattermost versions prior to 10.11.17 Description A failure to validate that a username returned during bot registration belongs to a bot account allows an unprivileged...

5.3CVSS5.9AI score0.0019EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.16 views

PT-2026-48937

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.6.0 through 11.6.1 Mattermost versions 11.5.0 through 11.5.4 Mattermost versions 10.11.0 through 10.11.16 Description An issue exists where the system fails to enforce the PermissionInviteUser check when setting...

4.3CVSS5.9AI score0.00152EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.9 views

CVE-2026-3117

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the gitlab instance option or the /gitlab webhook option commands...

6.5CVSS5.5AI score0.00228EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.7 views

CVE-2026-6342

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID:...

4.3CVSS5.5AI score0.00152EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.8 views

CVE-2026-6343

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591...

4.3CVSS5.5AI score0.00165EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/28 12:0 a.m.18 views

Mattermost Server 10.11.x < 10.11.17 / 11.5.x < 11.5.5 / 11.6.x < 11.6.2 Improper Authorization (MMSA-2026-00629)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2026-00629 advisory. - Mattermost Server fails to validate team-level runcreate permission against the target team when creating a playbook run which allows an authenticated team...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/25 7:10 a.m.15 views

EUVD-2026-31646

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service server process termination via a crafted webhook...

6.5CVSS5.8AI score0.00277EPSS
Exploits0References1
NVD
NVD
added 2026/05/22 11:16 a.m.15 views

CVE-2026-3473

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs...

7.1CVSS0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/22 10:28 a.m.24 views

CVE-2026-4635 Persistent notification timing attack causing server denial of service

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting...

6.5CVSS0.00172EPSS
Exploits0References1
CVE
CVE
added 2026/05/22 10:28 a.m.21 views

CVE-2026-4635

Mattermost (versions 11.6.x &lt;= 11.6.0, 11.5.x &lt;= 11.5.3, 11.4.x &lt;= 11.4.4, 10.11.x

6.5CVSS5.8AI score0.00172EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/22 12:0 a.m.14 views

PT-2026-42747

Name of the Vulnerable Software and Affected Versions Mattermost version 11.6.0 Mattermost version 11.5.3 Mattermost version 11.4.4 Mattermost version 10.11.14 Description An issue exists where the system fails to archive the channel before removing persistent notifications. This allows an...

6.8CVSS5.8AI score0.00172EPSS
Exploits0References8
NVD
NVD
added 2026/05/21 9:16 a.m.19 views

CVE-2026-4858

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action...

9.9CVSS0.00249EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42404

Name of the Vulnerable Software and Affected Versions Mattermost version 11.5.1 Description An issue exists where the system fails to validate the team-level run create permission against the target team during the creation of a playbook run. This allows an authenticated team member to create run...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References10
Rows per page
Query Builder