33 matches found
CVE-2026-6343
Mattermost Playbooks plugin vulnerability CVE-2026-6343 affects Mattermost versions 11.5.x up to 11.5.1, 11.4.x up to 11.4.3, and 10.11.x up to 10.11.13. The issue is that public/private permissions are not checked, allowing members without required permissions to access public playbooks via endp...
CVE-2026-6343 Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591...
CVE-2026-6343 Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591...
CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...
CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...
EUVD-2025-12104
Malicious code in bioql PyPI...
EUVD-2022-24843
Malicious code in bioql PyPI...
EUVD-2023-50887
Malicious code in bioql PyPI...
Incorrect Authorization
Overview github.com/mattermost/mattermost-plugin-playbooks/server/app is a package for reliable and repeatable processes using checklists, automation, and retrospectives Affected versions of this package are vulnerable to Incorrect Authorization via improper enforcement of permissions in the...
Incorrect Authorization
Overview github.com/mattermost/mattermost-plugin-playbooks/server/app is a package for reliable and repeatable processes using checklists, automation, and retrospectives Affected versions of this package are vulnerable to Incorrect Authorization through improper enforcement of channel member...
CVE-2023-45847
Mattermost fails to to check the length when setting the title in a run checklist in Playbooks, allowing an attacker to send a specially crafted request and crash the Playbooks plugin...
Denial Of Service (DoS)
github.com/mattermost/mattermost-server is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient input validation caused by a failure to properly validate user-controlled props in the RetrospectivePost custom post type of the Playbooks plugin, which allows an attacker to...
CVE-2025-41395
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of servi...
GHSA-3G36-GF7C-75QW Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of servi...
CVE-2025-41395
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of servi...
CVE-2025-41395
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of servi...
CVE-2025-41395
Mattermost Playbooks vulnerability CVE-2025-41395 is supported by OSV GO-2025-3642, which documents the same issue: Mattermost’s Playbooks RetrospectivePost props are not properly validated, enabling a crafted post to trigger DoS for all users. Affected are Mattermost releases with the Playbooks ...
CVE-2025-41395 Webapp DoS via malicious retrospective post in Playbooks
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of servi...
CVE-2025-41395 Webapp DoS via malicious retrospective post in Playbooks
Mattermost versions 10.4.x = 10.4.2, 10.5.x = 10.5.0, 9.11.x = 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cause a denial of servi...
PT-2025-17702 · Mattermost · Mattermost
Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.11.x through 9.11.10 Mattermost versions 10.4.x through 10.4.2 Mattermost versions 10.5.x through 10.5.0 Description: The issue arises from the failure to properly validate the props used by the RetrospectivePost custom...