github.com/mattermost/mattermost-server (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/mattermost/mattermost-server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2017-18888 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
CVE-2017-18915 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain…
CVE-2017-18912 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.
CVE-2017-18908 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an…
CVE-2017-18885 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended…
CVE-2017-18900 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
CVE-2017-18911 — CVSS 9.1 (critical): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a…
CVE-2017-18883 — CVSS 9.1 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low…
CVE-2017-18886 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
CVE-2017-18903 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
CVE-2024-39274 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes…
CVE-2024-39777 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access…
CVE-2025-58073 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2017-18884 — CVSS 8.1 (high): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered…
CVE-2025-58075 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2017-18894 — CVSS 8.1 (high): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes…
CVE-2017-18906 — CVSS 8.1 (high): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim…
CVE-2017-18909 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
CVE-2016-11069 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
CVE-2017-18871 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service…
CVE-2016-11066 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
CVE-2026-24458 — CVSS 7.5 (high): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an…
CVE-2018-21258 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash…
CVE-2017-18917 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and…
CVE-2024-36492 — CVSS 7.4 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when…
CVE-2023-1776 — CVSS 7.3 (high): Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to…
CVE-2025-14273 — CVSS 7.2 (high): Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost…
CVE-2024-54682 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file…
CVE-2024-54083 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps…
CVE-2026-6345 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a…
CVE-2026-5163 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an…
CVE-2017-18874 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can…
CVE-2016-11072 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
CVE-2016-11078 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential…
CVE-2025-9076 — CVSS 6.5 (medium): Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows…
CVE-2022-2401 — CVSS 6.5 (medium): Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive…
CVE-2023-1777 — CVSS 6.5 (medium): Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call…
CVE-2025-55070 — CVSS 6.5 (medium): Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access…
CVE-2025-41395 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost…
CVE-2025-35965 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions…
CVE-2025-21088 — CVSS 6.5 (medium): Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto…
CVE-2024-2447 — CVSS 6.5 (medium): Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of…
CVE-2017-18897 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a…
CVE-2016-11071 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not…
CVE-2017-18893 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
CVE-2017-18877 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
CVE-2017-18907 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
CVE-2017-18904 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
CVE-2016-11073 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
CVE-2017-18892 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not…
CVE-2017-18891 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
CVE-2016-11083 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
CVE-2017-18879 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack…
CVE-2016-11070 — CVSS 5.4 (medium): An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
CVE-2025-55073 — CVSS 5.4 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being…
CVE-2025-2475 — CVSS 5.4 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a…
CVE-2017-18887 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
CVE-2016-11067 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
CVE-2016-11068 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
CVE-2016-11075 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.
CVE-2016-11076 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
CVE-2017-18873 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel…
CVE-2017-18895 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user…
CVE-2017-18896 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST…
CVE-2017-18898 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser…
CVE-2017-18901 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by…
CVE-2017-18902 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API…
CVE-2017-18905 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session…
CVE-2017-18916 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration…
CVE-2020-14457 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket…
CVE-2025-27936 — CVSS 5.3 (medium): Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform…
CVE-2026-2456 — CVSS 5.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from…
CVE-2026-3113 — CVSS 5.0 (medium): Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk…
CVE-2017-18876 — CVSS 4.9 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test…
CVE-2017-18875 — CVSS 4.9 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create…
CVE-2023-5968 — CVSS 4.9 (medium): Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the…
CVE-2017-18918 — CVSS 4.9 (medium): An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary…
CVE-2025-11794 — CVSS 4.9 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators…
CVE-2024-39836 — CVSS 4.8 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot…
CVE-2024-29221 — CVSS 4.7 (medium): Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11…
CVE-2025-32093 — CVSS 4.7 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other…
CVE-2022-1384 — CVSS 4.7 (medium): Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which…
CVE-2024-8071 — CVSS 4.7 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as…
CVE-2024-46872 — CVSS 4.6 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for…
CVE-2024-40886 — CVSS 4.6 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are…
CVE-2026-4055 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run…
CVE-2026-4054 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which…
CVE-2026-3637 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post…
CVE-2025-14350 — CVSS 4.3 (medium): Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing…
CVE-2024-28949 — CVSS 4.3 (medium): Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user…
CVE-2025-1472 — CVSS 4.3 (medium): Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer…
CVE-2017-18878 — CVSS 4.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's…
CVE-2025-20033 — CVSS 4.3 (medium): Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows…
CVE-2024-24988 — CVSS 4.3 (medium): Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times…
CVE-2017-18889 — CVSS 4.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via…
CVE-2024-23493 — CVSS 4.3 (medium): Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP…
CVE-2017-18890 — CVSS 4.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by…
CVE-2026-28759 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel…
CVE-2024-1953 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested…
CVE-2025-2564 — CVSS 4.3 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived…
CVE-2026-2578 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members…
CVE-2025-27571 — CVSS 4.3 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels"…
CVE-2026-2463 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which…
CVE-2016-11081 — CVSS 4.3 (medium): An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.
CVE-2025-30179 — CVSS 4.3 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows…
CVE-2026-2458 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching…
CVE-2026-2457 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an…
CVE-2024-1942 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under…
CVE-2024-1888 — CVSS 4.3 (medium): Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions…
CVE-2024-1887 — CVSS 4.3 (medium): Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of…
CVE-2016-11080 — CVSS 4.3 (medium): An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.
CVE-2022-1332 — CVSS 4.3 (medium): One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members…
CVE-2024-1402 — CVSS 4.3 (medium): Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to…
CVE-2024-10241 — CVSS 4.3 (medium): Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get…
CVE-2026-2325 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting…
CVE-2026-22892 — CVSS 4.3 (medium): Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from…
CVE-2025-41443 — CVSS 4.3 (medium): Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel…
CVE-2024-4183 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active…
CVE-2026-21386 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute…
CVE-2025-47870 — CVSS 4.3 (medium): Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST…
CVE-2022-1337 — CVSS 4.3 (medium): The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an…
CVE-2022-1982 — CVSS 4.3 (medium): Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a…
CVE-2023-1775 — CVSS 4.3 (medium): When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast…
CVE-2024-4182 — CVSS 4.3 (medium): Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom…
CVE-2024-47401 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in…
CVE-2024-50052 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration…
CVE-2026-6339 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint…
CVE-2017-18870 — CVSS 4.3 (medium): An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the…