Filtered by vendor Mattermost
Subscribe
Total
577 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-20051 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 9.9 CRITICAL |
| Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards. | |||||
| CVE-2025-20036 | 1 Mattermost | 1 Mattermost Mobile | 2026-06-17 | N/A | 6.5 MEDIUM |
| Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. | |||||
| CVE-2025-20033 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. | |||||
| CVE-2025-1792 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.1 LOW |
| Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint. | |||||
| CVE-2025-1558 | 1 Mattermost | 1 Mattermost Mobile | 2026-06-17 | N/A | 6.5 MEDIUM |
| Mattermost Mobile Apps versions <=2.25.0 fail to properly validate GIF images prior to rendering which allows a malicious user to cause the Android application to crash via message containing a maliciously crafted GIF. | |||||
| CVE-2025-1472 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics. | |||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.1 LOW |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | |||||
| CVE-2025-1398 | 2 Apple, Mattermost | 2 Macos, Mattermost Desktop | 2026-06-17 | N/A | 3.3 LOW |
| Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection. | |||||
| CVE-2025-14822 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.1 LOW |
| Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens | |||||
| CVE-2025-14573 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.8 LOW |
| Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561 | |||||
| CVE-2025-14435 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 6.8 MEDIUM |
| Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops. | |||||
| CVE-2025-14350 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563 | |||||
| CVE-2025-14273 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 7.2 HIGH |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555 | |||||
| CVE-2025-13870 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.1 LOW |
| Mattermost versions 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does not have access to | |||||
| CVE-2025-13821 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 5.7 MEDIUM |
| Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560 | |||||
| CVE-2025-13767 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to. | |||||
| CVE-2025-13523 | 1 Mattermost | 1 Confluence | 2026-06-17 | N/A | 7.7 HIGH |
| Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 | |||||
| CVE-2025-13352 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.0 LOW |
| Mattermost versions 10.11.x <= 10.11.6 and Mattermost GitHub plugin versions <=2.4.0 fail to validate plugin bot identity in reaction forwarding which allows attackers to hijack the GitHub reaction feature to make users add reactions to arbitrary GitHub objects via crafted notification posts. | |||||
| CVE-2025-13326 | 1 Mattermost | 1 Mattermost Desktop | 2026-06-17 | N/A | 3.9 LOW |
| Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder. | |||||
| CVE-2025-13324 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 3.7 LOW |
| Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed. | |||||