mattermost
607 tracked vulnerabilities.
CVE-2026-6961
HIGH
CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
Jun 12, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-6739
MEDIUM
Mattermost: Delegated admins could patch protected default system roles
Jun 12, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-6689
MEDIUM
Mattermost Team Creation - Invite Settings Authorization Bypass
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6046
MEDIUM
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-3433
MEDIUM
Mattermost fails to scope role_updated websocket events to authorized team and channel members
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6957
HIGH
Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write.
May 27, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-4915
MEDIUM
Mattermost - Server Panic via Outgoing Webhook Responses
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-28735
MEDIUM
Mattermost - GitHub OAuth Scope Validation
May 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-5755
MEDIUM
Mattermost - Denial of Service via Crafted TIFF File Upload
May 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-5740
HIGH
Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server
May 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-5308
MEDIUM
Missing request body size limits on Zoom plugin HTTP endpoints
May 22, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-4646
MEDIUM
Insufficient input validation in GitHub plugin API causes denial of service
May 22, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4635
MEDIUM
Persistent notification timing attack causing server denial of service
May 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-3636
MEDIUM
Mattermost - Sanitize Team Member Data Returned by API
May 22, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-3473
MEDIUM
Improper file ownership validation in the Boards API allows unauthorised file access
May 22, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-4858
HIGH
Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
May 21, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-22880
MEDIUM
Mobile SSO authentication flow allows credential theft via malicious server
May 21, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-4055
MEDIUM
Insufficient permission validation on cross-team playbook run creation
May 21, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6347
HIGH
Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets
May 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-6346
HIGH
Sensitive credentials exposed in plaintext in Mattermost support packets
May 18, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-6345
MEDIUM
Prevent password disclosure and force reset during Slack import
May 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-6343
MEDIUM
Mattermost Playbooks Plugin - Public Playbook Unauthorized Access
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6339
MEDIUM
Missing request origin validation on burn-on-read reveal endpoint
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6333
LOW
SSRF via Host Header Spoofing in Custom Slash Commands
May 18, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-5163
MEDIUM
Missing authorization check in AI message rewrite endpoint allows access to private thread content
May 18, 2026
CVSS 6.5
EPSS 0.00
Products
mattermost_server 451
mattermost 250
mattermost-server 212
Mattermost 104
mattermost_desktop 28
mattermost_mobile 20
confluence 14
mattermost-plugin-confluence 14
mattermost-plugin-playbooks 6
mattermost-plugin-github 4
mattermost-plugin-msteams 4
mattermost-plugin-calls 3
mattermost-plugin-jira 3
Focalboard 2
focalboard 2
mattermost-plugin-boards 2
mattermost-plugin-zoom 2
mattermost_boards 2
ms_teams 2
playbooks 2
zoom 2
Mattermost Google Drive Plugin 1
channel_export 1
github.com/mattermost/mattermost/server/public 1
legal_hold 1
mattermost-plugin-channel-export 1
mattermost-plugin-msteams-meetings 1
mattermost_channel_export 1
mattermost_packages 1
mattermost_plugins 1
Quick Filters