22 matches found
CVE-2026-52815
Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route...
Improper Access Control
Mattermost is vulnerable to improper access control. The vulnerability is due to insufficient sanitization and access restrictions on team email addresses, which allows an authenticated user to exploit the GET /api/v4/channels/channelid/commonteams endpoint to view sensitive team email informatio...
Mattermost Server 10.11.x <= 10.11.9 / 11.0.x <= 11.2.x Improper Access Control (MMSA-2025-00549)
The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00549 advisory. - Mattermost versions 10.11.x = 10.11.9 and 11.0.x = 11.2.x fail to properly enforce access control checks in the common teams API. This allows the API to...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via a race condition in the /commonteams API endpoint. An attacker can gain unauthorized access to team names by exploiting the timing of channel membership validation during data retrieva...
Mattermost doesn't properly validate channel membership at the time of data retrieval
Mattermost versions 10.11.x = 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /commonteams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549...
CVE-2026-20796
Mattermost versions 10.11.x = 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /commonteams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549...
CVE-2026-20796 Time-of-check time-of-use vulnerability in common teams API
Mattermost versions 10.11.x = 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /commonteams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549...
CVE-2026-20796
Mattermost CVE-2026-20796 affects version 10.11.x up to 10.11.9, due to improper validation of channel membership at data retrieval. A race condition in the /common_teams API endpoint can allow a deactivated user to learn team names they should not access. Root cause: insufficient validation duri...
PT-2026-7984
Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.0 through 10.11.9 Description Mattermost versions 10.11.0 through 10.11.9 do not properly validate channel membership when retrieving data, potentially allowing a deactivated user to learn team names they should not...
SUSE CVE-2025-12559
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
CVE-2025-12559
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
EUVD-2025-199831
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
GHSA-4G87-9X45-CX2H Mattermost fails to sanitize team email addresses
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the GET /api/v4/channels/channelid/commonteams endpoint. An attacker can access team email addresses intended to be visible only to Team Admins by making authenticated requests to this endpoint. Remediation...
CVE-2025-12559
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
CVE-2025-12559
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
CVE-2025-12559 Information Disclosure in Common Teams API
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
CVE-2025-12559 Information Disclosure in Common Teams API
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...
PT-2025-48275
Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channel id/common teams endpoint...
Linux Distros Unpatched Vulnerability : CVE-2022-21713
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Grafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle use...