CVE & Exploit Intelligence Database

CVE-2025-12421 9.9 CRITICAL 1 PoC Analysis EPSS 0.00

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

CWE-303 Nov 27, 2025

CVE-2025-12419 9.9 CRITICAL EPSS 0.00

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

CWE-303 Nov 27, 2025

CVE-2025-4981 9.9 CRITICAL 1 PoC Analysis EPSS 0.01

Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.

CWE-427 Jun 20, 2025

CVE-2025-25279 9.9 CRITICAL 1 PoC Analysis EPSS 0.29

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate board blocks when importing boards which allows an attacker could read any arbitrary file on the system via importing and exporting a specially crafted import archive in Boards.

CWE-22 Feb 24, 2025

CVE-2025-24490 9.6 CRITICAL 1 PoC Analysis EPSS 0.00

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection when reordering specially crafted boards categories.

CWE-89 Feb 24, 2025

CVE-2025-20051 9.9 CRITICAL EPSS 0.00

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to properly validate input when patching and duplicating a board, which allows a user to read any arbitrary file on the system via duplicating a specially crafted block in Boards.

CWE-22 Feb 24, 2025

CVE-2017-18920 9.8 CRITICAL EPSS 0.01

An issue was discovered in Mattermost Server before 3.6.2. The WebSocket feature does not follow the Same Origin Policy.

Jun 19, 2020

CVE-2017-18915 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.

CWE-276 Jun 19, 2020

CVE-2017-18908 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. A password-reset request was sometime sent to an attacker-provided e-mail address.

CWE-287 Jun 19, 2020

CVE-2016-11074 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.

CWE-287 Jun 19, 2020

CVE-2016-11064 9.8 CRITICAL EPSS 0.01

An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection.

CWE-94 Jun 19, 2020

CVE-2017-18912 9.8 CRITICAL EPSS 0.01

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. It allows an attacker to specify a full pathname of a log file.

CWE-22 Jun 19, 2020

CVE-2017-18911 9.1 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.

CWE-295 Jun 19, 2020

CVE-2017-18900 9.8 CRITICAL EPSS 0.01

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.

CWE-74 Jun 19, 2020

CVE-2017-18888 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.

CWE-89 Jun 19, 2020

CVE-2017-18885 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.

CWE-269 Jun 19, 2020

CVE-2017-18883 9.1 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.

CWE-331 Jun 19, 2020

CVE-2018-21251 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Server before 5.2 and 5.1.1. Authorization could be bypassed if the channel name were not the same in the params and the body.

CWE-862 Jun 19, 2020

CVE-2019-20856 9.8 CRITICAL EPSS 0.00

An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.

CWE-427 Jun 19, 2020

CVE-2019-20853 9.8 CRITICAL EPSS 0.02

An issue was discovered in Mattermost Packages before 5.16.3. A Droplet could allow Internet access to a service that has a remote code execution problem.

CWE-668 Jun 19, 2020