CVE-2025-12421 — CVSS 9.9 (critical): Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used…
CVE-2018-21251 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in…
CVE-2017-18920 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.
CVE-2017-18915 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain…
CVE-2017-18912 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.
CVE-2017-18900 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
CVE-2017-18888 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.
CVE-2017-18885 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended…
CVE-2017-18908 — CVSS 9.8 (critical): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an…
CVE-2025-24490 — CVSS 9.6 (critical): Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query…
CVE-2017-18911 — CVSS 9.1 (critical): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a…
CVE-2017-18883 — CVSS 9.1 (critical): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low…
CVE-2017-18903 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.
CVE-2024-2450 — CVSS 8.8 (high): Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account…
CVE-2018-21264 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. It did not enforce the expiration date of a SAML response.
CVE-2019-20841 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. CSRF can sometimes occur via a crafted web…
CVE-2018-21263 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 4.7.0, 4.6.2, and 4.5.2. An attacker could authenticate to a different user's account…
CVE-2017-18886 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.
CVE-2019-20865 — CVSS 8.8 (high): An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5.10.2, 5.9.2, and 4.10.10. The login page allows CSRF.
CVE-2017-18906 — CVSS 8.1 (high): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim…
CVE-2017-18894 — CVSS 8.1 (high): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes…
CVE-2025-58073 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2025-58075 — CVSS 8.1 (high): Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost…
CVE-2017-18884 — CVSS 8.1 (high): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered…
CVE-2015-9548 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 1.2.0. It allows attackers to cause a denial of service (memory consumption) via a…
CVE-2019-20843 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There are weak permissions for configuration…
CVE-2019-20845 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.18.0. It allows attackers to cause a denial of service (memory consumption) via a…
CVE-2019-20846 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.18.0. It has weak permissions for server-local file storage.
CVE-2019-20854 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.17.0. It allows remote attackers to cause a denial of service (client-side…
CVE-2019-20855 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5.14.5, and 5.9.6. It allows attackers to obtain sensitive information…
CVE-2019-20857 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.16.0. It allows attackers to cause a denial of service (markdown renderer hang) via…
CVE-2019-20858 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.15.0. It allows attackers to cause a denial of service (CPU consumption) via crafted…
CVE-2019-20859 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.15.0. Login access control can be bypassed via crafted input.
CVE-2019-20862 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.13.0. Non-members may fetch a team's slash commands.
CVE-2019-20863 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.13.0. Incoming webhook creation is not properly restricted.
CVE-2017-18871 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service…
CVE-2019-20868 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.11.0. Invite IDs were improperly generated.
CVE-2016-11066 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information.
CVE-2019-20871 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. The Markdown library allows catastrophic backtracking.
CVE-2019-20874 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information…
CVE-2017-18917 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and…
CVE-2026-24458 — CVSS 7.5 (high): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an…
CVE-2017-18909 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.
CVE-2020-14459 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.19.0. Attackers can rename a channel and cause a collision with a direct message, aka…
CVE-2020-14458 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.19.0. Attackers can discover private channels via the "get channel by name" API, aka…
CVE-2020-14453 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.21.0. Socket read operations are not appropriately restricted, which allows attackers…
CVE-2020-14450 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.22.0. The markdown renderer allows attackers to cause a denial of service…
CVE-2020-14448 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.23.0. Automatic direct message replies allow attackers to cause a denial of service…
CVE-2018-21248 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.4.0. It mishandles possession of superfluous authentication credentials.
CVE-2020-14447 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.23.0. Large webhook requests allow attackers to cause a denial of service (infinite…
CVE-2019-20888 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It allows attackers to cause a denial of service (memory…
CVE-2019-20886 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.8.0. The first user is sometimes inadvertently a system admin.
CVE-2019-20885 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.8.0. It does not always generate a robots.txt file.
CVE-2016-11069 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.
CVE-2018-21258 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.1. It allows attackers to cause a denial of service via the invite_people slash…
CVE-2019-20880 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6.5, and 4.10.7. It allows attackers to cause a denial of service…
CVE-2018-21262 — CVSS 7.5 (high): An issue was discovered in Mattermost Server before 4.7.3. It allows attackers to cause a denial of service (application crash) via invalid…
CVE-2023-45316 — CVSS 7.3 (high): Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID…
CVE-2019-20881 — CVSS 7.3 (high): An issue was discovered in Mattermost Server before 5.8.0. It mishandles brute-force attacks against MFA.
CVE-2023-1776 — CVSS 7.3 (high): Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to…
CVE-2025-14273 — CVSS 7.2 (high): Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost…
CVE-2023-1831 — CVSS 7.2 (high): Mattermost fails to redact from audit logs the user password during user creation and the user password hash in other operations if the…
CVE-2019-20842 — CVSS 7.2 (high): An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via…
CVE-2023-6458 — CVSS 7.1 (high): Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side…
CVE-2026-2462 — CVSS 6.6 (medium): Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with…
CVE-2026-7184 — CVSS 6.5 (medium): Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH…
CVE-2023-1777 — CVSS 6.5 (medium): Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call…
CVE-2026-4915 — CVSS 6.5 (medium): Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing…
CVE-2026-5163 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an…
CVE-2017-18874 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can…
CVE-2024-54083 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps…
CVE-2024-54682 — CVSS 6.5 (medium): Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file…
CVE-2025-9076 — CVSS 6.5 (medium): Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows…
CVE-2024-2447 — CVSS 6.5 (medium): Mattermost versions 8.1.x before 8.1.11, 9.3.x before 9.3.3, 9.4.x before 9.4.4, and 9.5.x before 9.5.2 fail to authenticate the source of…
CVE-2025-12689 — CVSS 6.5 (medium): Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format…
CVE-2025-55070 — CVSS 6.5 (medium): Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access…
CVE-2025-41395 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost…
CVE-2025-35965 — CVSS 6.5 (medium): Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions…
CVE-2018-21250 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 5.2.2, 5.1.2, and 4.10.4. It allows remote attackers to cause a denial of service…
CVE-2026-3117 — CVSS 6.5 (medium): Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab…
CVE-2016-11072 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.
CVE-2019-20844 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. An attacker can spoof a direct-message…
CVE-2016-11078 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential…
CVE-2019-20873 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information…
CVE-2026-4339 — CVSS 6.5 (medium): Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP…
CVE-2023-46701 — CVSS 6.5 (medium): Mattermost fails to perform authorization checks in the /plugins/playbooks/api/v0/runs/add-to-timeline-dialog endpoint of the Playbooks…
CVE-2020-14460 — CVSS 6.5 (medium): An issue was discovered in Mattermost Server before 5.19.0, 5.18.1, 5.17.3, 5.16.5, and 5.9.8. Creation of a trusted OAuth application does…
CVE-2026-4635 — CVSS 6.5 (medium): Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing…
CVE-2022-2401 — CVSS 6.5 (medium): Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive…
CVE-2026-6345 — CVSS 6.5 (medium): Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a…
CVE-2023-3581 — CVSS 6.2 (medium): Mattermost fails to properly validate the origin of a websocket connection allowing a MITM attacker on Mattermost to access the websocket…
CVE-2016-11073 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.
CVE-2017-18892 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not…
CVE-2017-18897 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a…
CVE-2017-18880 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the title_link field of a Slack attachment.
CVE-2016-11083 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.
CVE-2017-18921 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. XSS can occur via a link on an error page.
CVE-2017-18893 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.
CVE-2017-18907 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.
CVE-2017-18879 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack…
CVE-2017-18913 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. XSS can occur via a link on an error page.
CVE-2017-18882 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS can occur via OpenGraph data.
CVE-2017-18881 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via a goto_location response to a slash…
CVE-2017-18904 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.
CVE-2017-18891 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.
CVE-2024-2445 — CVSS 6.1 (medium): Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x…
CVE-2017-18877 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.
CVE-2016-11071 — CVSS 6.1 (medium): An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not…
CVE-2024-36255 — CVSS 5.7 (medium): Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper input validation on post actions which allows…
CVE-2025-13821 — CVSS 5.7 (medium): Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which…
CVE-2022-2366 — CVSS 5.6 (medium): Incorrect default configuration for trusted IP header in Mattermost version 6.7.0 and earlier allows attacker to bypass some of the rate…
CVE-2019-20860 — CVSS 5.5 (medium): An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5.12.6, and 5.9.4. It allows remote attackers to cause a denial of…
CVE-2019-20872 — CVSS 5.5 (medium): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. SSRF can attack local services.
CVE-2025-55073 — CVSS 5.4 (medium): Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being…
CVE-2025-2475 — CVSS 5.4 (medium): Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to invalidate the cache when a user account is converted to a…
CVE-2019-20876 — CVSS 5.4 (medium): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. Users can deactivate themselves, bypassing a policy.
CVE-2016-11070 — CVSS 5.4 (medium): An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.
CVE-2026-28735 — CVSS 5.4 (medium): Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the…
CVE-2017-18919 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. Attackers can use the API for unauthenticated team creation.
CVE-2017-18916 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration…
CVE-2017-18905 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session…
CVE-2017-18873 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel…
CVE-2016-11067 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.
CVE-2017-18896 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST…
CVE-2016-11068 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.
CVE-2022-0903 — CVSS 5.3 (medium): A call stack overflow bug in the SAML login feature in Mattermost server in versions up to and including 6.3.2 allows an attacker to crash…
CVE-2020-14457 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket…
CVE-2020-14452 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.21.0. mmctl allows directory traversal via HTTP, aka MMSA-2020-0014.
CVE-2019-20889 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, and 4.10.5. It mishandles permissions for user-access token creation.
CVE-2019-20884 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.8.0. It allows attackers to partially attach a file to more than one post.
CVE-2016-11062 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.5.1. E-mail address verification can be bypassed.
CVE-2017-18902 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API…
CVE-2019-20882 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.8.0. It does not honor the domain requirement when processing a join request for an…
CVE-2019-20877 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows attackers to obtain sensitive information…
CVE-2019-20875 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7.3, and 4.10.8. It allows a password reset to proceed while an e-mail…
CVE-2019-20869 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel…
CVE-2017-18887 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.
CVE-2019-20867 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.11.0. An attacker can interfere with a channel's post loading via one crafted post.
CVE-2023-6459 — CVSS 5.3 (medium): Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public…
CVE-2017-18899 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It mishandles IP-based rate limiting.
CVE-2019-20866 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.12.0. Use of a Proxy HTTP header, rather than the source address in an IP packet…
CVE-2019-20847 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.18.0. An attacker can send a user_typing WebSocket event to any channel.
CVE-2018-21259 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.10.1, 4.9.4, and 4.8.2. It allows attackers to cause a denial of service (application…
CVE-2018-21257 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel…
CVE-2017-18901 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by…
CVE-2016-11076 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.
CVE-2017-18914 — CVSS 5.3 (medium): An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. An external link can occur on an error page even if it is not…