github.com/mattermost/mattermost-server/v6 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/mattermost/mattermost-server/v6, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (200)
CVE-2025-12421 — CVSS 9.9 (critical): Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used…
CVE-2024-39777 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access…
CVE-2024-39274 — CVSS 8.7 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes…
CVE-2025-58073 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2025-58075 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2024-36492 — CVSS 7.4 (high): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when…
CVE-2023-1776 — CVSS 7.3 (high): Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to…
CVE-2025-14273 — CVSS 7.2 (high): Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost…
CVE-2023-6458 — CVSS 7.1 (high): Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side…
CVE-2023-4107 — CVSS 6.7 (medium): Mattermost fails to properly validate the requesting user permissions when updating a system admin, allowing a user manager to update a…
CVE-2023-5195 — CVSS 6.5 (medium): Mattermost fails to properly validate the permissions when soft deleting a team allowing a team member to soft delete other teams that they…
CVE-2023-5196 — CVSS 6.5 (medium): Mattermost fails to enforce character limits in all possible notification props allowing an attacker to send a really long value for a…
CVE-2025-55070 — CVSS 6.5 (medium): Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access…
CVE-2022-2401 — CVSS 6.5 (medium): Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive…
CVE-2025-41395 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost…
CVE-2025-21088 — CVSS 6.5 (medium): Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto…
CVE-2025-35965 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions…
CVE-2026-6345 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a…
CVE-2026-5163 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an…
CVE-2024-2447 — CVSS 6.5 (medium): Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of…
CVE-2023-1777 — CVSS 6.5 (medium): Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call…
CVE-2025-9076 — CVSS 6.5 (medium): Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows…
CVE-2024-54083 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps…
CVE-2024-54682 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file…
CVE-2023-4106 — CVSS 6.3 (medium): Mattermost fails to check if the requesting user is a guest before performing different actions to public playbooks, resulting a guest…
CVE-2025-55073 — CVSS 5.4 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being…
CVE-2025-2475 — CVSS 5.4 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a…
CVE-2023-5969 — CVSS 5.3 (medium): Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to…
CVE-2025-27936 — CVSS 5.3 (medium): Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform…
CVE-2026-2456 — CVSS 5.3 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from…
CVE-2023-6459 — CVSS 5.3 (medium): Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public…
CVE-2023-5193 — CVSS 4.9 (medium): Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to…
CVE-2023-5968 — CVSS 4.9 (medium): Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the…
CVE-2025-11794 — CVSS 4.9 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators…
CVE-2024-39836 — CVSS 4.8 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot…
CVE-2025-32093 — CVSS 4.7 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other…
CVE-2024-29221 — CVSS 4.7 (medium): Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11…
CVE-2023-2515 — CVSS 4.7 (medium): Mattermost fails to restrict a user with permissions to edit other users and to create personal access tokens from elevating their…
CVE-2022-1384 — CVSS 4.7 (medium): Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which…
CVE-2024-8071 — CVSS 4.7 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as…
CVE-2024-46872 — CVSS 4.6 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to sanitize user inputs in the frontend that are used for…
CVE-2022-1337 — CVSS 4.3 (medium): The image proxy component in Mattermost version 6.4.1 and earlier allocates memory for multiple copies of a proxied image, which allows an…
CVE-2023-1775 — CVSS 4.3 (medium): When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast…
CVE-2023-2783 — CVSS 4.3 (medium): Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the…
CVE-2023-40703 — CVSS 4.3 (medium): Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to…
CVE-2023-43754 — CVSS 4.3 (medium): Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display…
CVE-2023-45223 — CVSS 4.3 (medium): Mattermost fails to properly validate the "Show Full Name" option in a few endpoints in Mattermost Boards, allowing a member to get the…
CVE-2023-47168 — CVSS 4.3 (medium): Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to…
CVE-2023-47858 — CVSS 4.3 (medium): Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get…
CVE-2023-47865 — CVSS 4.3 (medium): Mattermost fails to check if hardened mode is enabled when overriding the username and/or the icon when posting a post. If settings allowed…
CVE-2023-48268 — CVSS 4.3 (medium): Mattermost fails to limit the amount of data extracted from compressed archives during board import in Mattermost Boards allowing an…
CVE-2023-48369 — CVSS 4.3 (medium): Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to…
CVE-2023-48732 — CVSS 4.3 (medium): Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting…
CVE-2023-5967 — CVSS 4.3 (medium): Mattermost fails to properly validate requests to the Calls plugin, allowing an attacker sending a request without a User Agent header to…
CVE-2023-6202 — CVSS 4.3 (medium): Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user…
CVE-2024-10241 — CVSS 4.3 (medium): Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get…
CVE-2024-1402 — CVSS 4.3 (medium): Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to…
CVE-2024-1887 — CVSS 4.3 (medium): Mattermost fails to check if compliance export is enabled when fetching posts of public channels allowing a user that is not a member of…
CVE-2024-1888 — CVSS 4.3 (medium): Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions…
CVE-2024-1942 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under…
CVE-2024-1953 — CVSS 4.3 (medium): Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested…
CVE-2024-23493 — CVSS 4.3 (medium): Mattermost fails to properly authorize the requests fetching team associated AD/LDAP groups, allowing a user to fetch details of AD/LDAP…
CVE-2024-24988 — CVSS 4.3 (medium): Mattermost fails to properly validate the length of the emoji value in the custom user status, allowing an attacker to send multiple times…
CVE-2024-28949 — CVSS 4.3 (medium): Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 don't limit the number of user…
CVE-2024-32939 — CVSS 4.3 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2, when shared channels are enabled, fail to redact…
CVE-2024-39839 — CVSS 4.3 (medium): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username…
CVE-2024-43780 — CVSS 4.3 (medium): Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read…
CVE-2024-47401 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1 and 9.5.x <= 9.5.9 fail to prevent detailed error messages from being displayed in…
CVE-2024-50052 — CVSS 4.3 (medium): Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration…
CVE-2025-11776 — CVSS 4.3 (medium): Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived…
CVE-2025-12559 — CVSS 4.3 (medium): Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be…
CVE-2025-14350 — CVSS 4.3 (medium): Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing…
CVE-2025-1472 — CVSS 4.3 (medium): Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer…
CVE-2025-20033 — CVSS 4.3 (medium): Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows…
CVE-2025-47870 — CVSS 4.3 (medium): Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST…
CVE-2026-2578 — CVSS 4.3 (medium): Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members…
CVE-2022-1332 — CVSS 4.3 (medium): One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members…
CVE-2026-28759 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel…
CVE-2026-3637 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post…
CVE-2026-4055 — CVSS 4.3 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run…
CVE-2023-1774 — CVSS 4.2 (medium): When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel…
CVE-2024-41162 — CVSS 4.1 (medium): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels…
CVE-2025-64641 — CVSS 4.1 (medium): Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking…
CVE-2025-53971 — CVSS 3.8 (low): Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which…
CVE-2024-39837 — CVSS 3.8 (low): Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create…
CVE-2023-5159 — CVSS 3.8 (low): Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to…
CVE-2026-3495 — CVSS 3.8 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error…
CVE-2025-22449 — CVSS 3.8 (low): Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to…
CVE-2025-14573 — CVSS 3.8 (low): Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators…
CVE-2023-50333 — CVSS 3.7 (low): Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests…
CVE-2022-1385 — CVSS 3.7 (low): Mattermost 6.4.x and earlier fails to properly invalidate pending email invitations when the action is performed from the system console…
CVE-2026-4273 — CVSS 3.7 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token…
CVE-2025-13324 — CVSS 3.7 (low): Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the…
CVE-2023-7113 — CVSS 3.7 (low): Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web…
CVE-2025-49810 — CVSS 3.5 (low): Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
CVE-2025-47700 — CVSS 3.5 (low): Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick…
CVE-2026-6333 — CVSS 3.5 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash…
CVE-2025-22445 — CVSS 3.5 (low): Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls…
CVE-2024-10214 — CVSS 3.5 (low): Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly issues two sessions when using desktop SSO - one in the browser and one in…
CVE-2025-27715 — CVSS 3.3 (low): Mattermost versions 9.11.x <= 9.11.8 fail to prompt for explicit approval before adding a team admin to a private channel, which team…
CVE-2025-13870 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to…
CVE-2023-4105 — CVSS 3.1 (low): Mattermost fails to delete the attachments when deleting a message in a thread allowing a simple user to still be able to access and…
CVE-2026-6334 — CVSS 3.1 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code…
CVE-2022-3257 — CVSS 3.1 (low): Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a…
CVE-2025-62690 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.4 fail to validate redirect URLs on the /error page, which allows an attacker to redirect a victim to…
CVE-2024-28053 — CVSS 3.1 (low): Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed…
CVE-2025-11777 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member…
CVE-2024-24776 — CVSS 3.1 (low): Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts…
CVE-2025-9081 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to…
CVE-2025-9084 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites…
CVE-2024-23488 — CVSS 3.1 (low): Mattermost fails to properly restrict the access of files attached to posts in an archived channel, resulting in members being able to…
CVE-2026-4286 — CVSS 3.1 (low): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing…
CVE-2026-22545 — CVSS 3.1 (low): Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows…
CVE-2024-21848 — CVSS 3.1 (low): Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to…
CVE-2024-1952 — CVSS 3.1 (low): Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing…
CVE-2023-35075 — CVSS 3.1 (low): Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to…
CVE-2025-24839 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This…
CVE-2025-2424 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an…
CVE-2025-3611 — CVSS 3.1 (low): Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System…
CVE-2025-4128 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to…
CVE-2025-41423 — CVSS 3.1 (low): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint…
CVE-2025-41436 — CVSS 3.1 (low): Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access…
CVE-2025-54499 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which…
CVE-2025-1412 — CVSS 3.1 (low): Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows…
CVE-2024-47003 — CVSS 3.1 (low): Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows…
CVE-2025-10545 — CVSS 3.1 (low): Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members…