mattermost

575 tracked vulnerabilities.

CVE-2026-6340 MEDIUM
Mattermost 10.11.0-10.11.13 11.4.0-11.4.3 11.5.0-11.5.1 - Authenticated Denial of Service via 7zip Archive Processing
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6334 LOW
OAuth authorization code client binding not enforced during token redemption in Mattermost
May 18, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-4273 LOW
Insufficient token rotation validation in remote cluster invite confirmation
May 18, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-3637 MEDIUM
Mattermost fails to enforce create_post permission when editing posts
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-3495 LOW
Mattermost 10.11.0-10.11.13 and 11.5.0-11.5.1 - Stored Cross-Site Scripting in Error Page Configuration
May 18, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-2325 MEDIUM
Improper Input Validation in MS Teams Meetings API Handler
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-28759 MEDIUM
Mattermost Shared Channel Sync - Unauthorized Member Removal
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4054 MEDIUM
SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4053 LOW
post edit time limit is not enforced on some post update operations
May 15, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-3590 MEDIUM
Race Condition in Guest Magic Link Authentication Allows Token Reuse
Apr 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-28741 MEDIUM
CSRF Protection Bypass Allows Updating a User's Authentication Method
Apr 15, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-27769 LOW
Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Apr 15, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-24661 LOW
Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint
Apr 09, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-21388 LOW
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint
Apr 09, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-3524 HIGH
Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check
Apr 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-28736 MEDIUM
Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)
Apr 03, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-25773 HIGH
Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)
Apr 03, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-3116 MEDIUM
Improper Input Validation in Zoom Plugin Webhook Handler
Mar 26, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-3115 MEDIUM
Guest users can view group member IDs without respecting view restrictions
Mar 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-3114 MEDIUM
Zip Bomb Denial of Service via Unrestricted Archive Decompression
Mar 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-3113 MEDIUM
mmctl export download command doesn’t restrict permissions to created file to file owner
Mar 26, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-3112 MEDIUM
Arbitrary File Read via Advanced Logging Support Packet
Mar 26, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-3109 LOW
Missing timestamp validation in Zoom webhook handler
Mar 26, 2026
CVSS 2.2
EPSS 0.00
CVE-2026-3108 HIGH
Terminal Escape Injection in mmctl Report Posts Command
Mar 26, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-4274 MEDIUM
Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access
Mar 26, 2026
CVSS 5.4
EPSS 0.00
Products
mattermost_server 412 mattermost 233 mattermost-server 186 Mattermost 74 mattermost_desktop 23 mattermost_mobile 20 confluence 14 mattermost-plugin-confluence 14 mattermost-plugin-msteams 4 mattermost-plugin-playbooks 4 mattermost-plugin-jira 3 Focalboard 2 focalboard 2 mattermost-plugin-boards 2 mattermost-plugin-calls 2 mattermost-plugin-zoom 2 mattermost_boards 2 ms_teams 2 playbooks 2 zoom 2 channel_export 1 mattermost-plugin-channel-export 1 mattermost-plugin-github 1 mattermost_channel_export 1 mattermost_packages 1 mattermost_plugins 1
Quick Filters
Critical CVEs With Exploits In CISA KEV