github.com/mattermost/mattermost-server/v5 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/mattermost/mattermost-server/v5, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2024-39777 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access…
CVE-2024-39274 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes…
CVE-2025-58075 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2025-58073 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2025-9072 — CVSS 7.6 (high): Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker…
CVE-2026-24458 — CVSS 7.5 (high): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an…
CVE-2018-21258 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash…
CVE-2024-36492 — CVSS 7.4 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when…
CVE-2023-1776 — CVSS 7.3 (high): Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to…
CVE-2025-14273 — CVSS 7.2 (high): Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost…
CVE-2022-2401 — CVSS 6.5 (medium): Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive…
CVE-2026-6345 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a…
CVE-2026-5163 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an…
CVE-2025-9076 — CVSS 6.5 (medium): Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows…
CVE-2024-2447 — CVSS 6.5 (medium): Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of…
CVE-2025-55070 — CVSS 6.5 (medium): Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access…
CVE-2025-41395 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost…
CVE-2025-35965 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions…
CVE-2025-21088 — CVSS 6.5 (medium): Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto…
CVE-2025-2475 — CVSS 5.4 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a…
CVE-2025-55073 — CVSS 5.4 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being…
CVE-2020-14457 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket…
CVE-2025-27936 — CVSS 5.3 (medium): Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform…
CVE-2026-2456 — CVSS 5.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from…
CVE-2023-5968 — CVSS 4.9 (medium): Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the…
CVE-2025-11794 — CVSS 4.9 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators…
CVE-2024-39836 — CVSS 4.8 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot…
CVE-2024-8071 — CVSS 4.7 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as…
CVE-2022-1384 — CVSS 4.7 (medium): Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which…
CVE-2025-32093 — CVSS 4.7 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other…
CVE-2024-29221 — CVSS 4.7 (medium): Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11…
CVE-2024-46872 — CVSS 4.6 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for…
CVE-2024-40886 — CVSS 4.6 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are…
CVE-2025-14350 — CVSS 4.3 (medium): Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing…
CVE-2025-12559 — CVSS 4.3 (medium): Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be…
CVE-2025-1472 — CVSS 4.3 (medium): Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer…
CVE-2025-20033 — CVSS 4.3 (medium): Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows…
CVE-2024-50052 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration…
CVE-2024-47401 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in…
CVE-2026-4055 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run…
CVE-2023-1775 — CVSS 4.3 (medium): When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast…
CVE-2025-2564 — CVSS 4.3 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived…
CVE-2023-47858 — CVSS 4.3 (medium): Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get…
CVE-2026-28759 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel…
CVE-2025-27571 — CVSS 4.3 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels"…
CVE-2023-48732 — CVSS 4.3 (medium): Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting…
CVE-2025-30179 — CVSS 4.3 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to enforce MFA on certain search APIs, which allows…
CVE-2024-1888 — CVSS 4.3 (medium): Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions…
CVE-2024-1942 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under…
CVE-2025-11776 — CVSS 4.3 (medium): Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived…
CVE-2026-6339 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint…
CVE-2022-1337 — CVSS 4.3 (medium): The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an…
CVE-2024-10241 — CVSS 4.3 (medium): Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get…
CVE-2024-1402 — CVSS 4.3 (medium): Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to…
CVE-2024-1953 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested…
CVE-2024-1887 — CVSS 4.3 (medium): Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of…
CVE-2022-1332 — CVSS 4.3 (medium): One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members…
CVE-2026-2578 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members…
CVE-2024-28949 — CVSS 4.3 (medium): Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user…
CVE-2026-2463 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which…
CVE-2025-47870 — CVSS 4.3 (medium): Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST…
CVE-2026-2458 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching…
CVE-2024-24988 — CVSS 4.3 (medium): Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times…
CVE-2026-2457 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an…
CVE-2026-21386 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute…
CVE-2024-23493 — CVSS 4.3 (medium): Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP…
CVE-2023-1774 — CVSS 4.2 (medium): When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel…
CVE-2024-41162 — CVSS 4.1 (medium): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels…
CVE-2025-64641 — CVSS 4.1 (medium): Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking…
CVE-2026-3495 — CVSS 3.8 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error…
CVE-2025-14573 — CVSS 3.8 (low): Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators…
CVE-2025-22449 — CVSS 3.8 (low): Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to…
CVE-2024-39837 — CVSS 3.8 (low): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create…
CVE-2025-53971 — CVSS 3.8 (low): Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which…
CVE-2025-13324 — CVSS 3.7 (low): Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the…
CVE-2023-7113 — CVSS 3.7 (low): Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web…
CVE-2023-50333 — CVSS 3.7 (low): Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests…
CVE-2021-37860 — CVSS 3.7 (low): Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary…
CVE-2022-1385 — CVSS 3.7 (low): Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console…
CVE-2026-4273 — CVSS 3.7 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token…
CVE-2025-49810 — CVSS 3.5 (low): Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
CVE-2025-47700 — CVSS 3.5 (low): Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick…
CVE-2026-6333 — CVSS 3.5 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash…
CVE-2024-10214 — CVSS 3.5 (low): Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in…
CVE-2025-22445 — CVSS 3.5 (low): Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls…
CVE-2025-27715 — CVSS 3.3 (low): Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team…
CVE-2025-4128 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to…
CVE-2025-3611 — CVSS 3.1 (low): Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System…
CVE-2026-22545 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows…
CVE-2025-62690 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to…
CVE-2024-1952 — CVSS 3.1 (low): Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing…
CVE-2024-21848 — CVSS 3.1 (low): Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to…
CVE-2025-9081 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to…
CVE-2025-9084 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites…
CVE-2024-23488 — CVSS 3.1 (low): Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to…
CVE-2024-24776 — CVSS 3.1 (low): Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts…
CVE-2025-54499 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which…
CVE-2024-28053 — CVSS 3.1 (low): Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed…
CVE-2025-41436 — CVSS 3.1 (low): Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access…
CVE-2025-41423 — CVSS 3.1 (low): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint…
CVE-2025-24839 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This…
CVE-2025-11777 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member…
CVE-2025-2424 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an…
CVE-2024-47003 — CVSS 3.1 (low): Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows…
CVE-2026-4286 — CVSS 3.1 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing…
CVE-2025-10545 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members…
CVE-2026-6334 — CVSS 3.1 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code…
CVE-2025-1412 — CVSS 3.1 (low): Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows…
CVE-2025-13870 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to…
CVE-2025-31363 — CVSS 3.0 (low): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream…
CVE-2025-13352 — CVSS 3.0 (low): Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction…
CVE-2025-55074 — CVSS 3.0 (low): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users…
CVE-2025-24866 — CVSS 2.7 (low): Mattermost versions 9.11.x <= 9.11.8 fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated…
CVE-2024-29977 — CVSS 2.7 (low): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which…
CVE-2025-2570 — CVSS 2.7 (low): Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to…
CVE-2024-41926 — CVSS 2.7 (low): Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs…
CVE-2024-40884 — CVSS 2.7 (low): Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team…
CVE-2024-1949 — CVSS 2.6 (low): A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized…
CVE-2025-6227 — CVSS 2.2 (low): Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that…
CVE-2025-27538 — CVSS 2.2 (low): Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user…