mattermost

607 tracked vulnerabilities.

CVE-2026-6961 HIGH
CVE-2026-6961: Path traversal via unsanitized FileInfo.Name in Mattermost federation sync
Jun 12, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-6739 MEDIUM
Mattermost: Delegated admins could patch protected default system roles
Jun 12, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-6689 MEDIUM
Mattermost Team Creation - Invite Settings Authorization Bypass
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6046 MEDIUM
Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-3433 MEDIUM
Mattermost fails to scope role_updated websocket events to authorized team and channel members
Jun 12, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6957 HIGH
Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write.
May 27, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-4915 MEDIUM
Mattermost - Server Panic via Outgoing Webhook Responses
May 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-28735 MEDIUM
Mattermost - GitHub OAuth Scope Validation
May 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-5755 MEDIUM
Mattermost - Denial of Service via Crafted TIFF File Upload
May 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-5740 HIGH
Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server
May 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-5308 MEDIUM
Missing request body size limits on Zoom plugin HTTP endpoints
May 22, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-4646 MEDIUM
Insufficient input validation in GitHub plugin API causes denial of service
May 22, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4635 MEDIUM
Persistent notification timing attack causing server denial of service
May 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-3636 MEDIUM
Mattermost - Sanitize Team Member Data Returned by API
May 22, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-3473 MEDIUM
Improper file ownership validation in the Boards API allows unauthorised file access
May 22, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-4858 HIGH
Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.
May 21, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-22880 MEDIUM
Mobile SSO authentication flow allows credential theft via malicious server
May 21, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-4055 MEDIUM
Insufficient permission validation on cross-team playbook run creation
May 21, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6347 HIGH
Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets
May 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-6346 HIGH
Sensitive credentials exposed in plaintext in Mattermost support packets
May 18, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-6345 MEDIUM
Prevent password disclosure and force reset during Slack import
May 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-6343 MEDIUM
Mattermost Playbooks Plugin - Public Playbook Unauthorized Access
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6339 MEDIUM
Missing request origin validation on burn-on-read reveal endpoint
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6333 LOW
SSRF via Host Header Spoofing in Custom Slash Commands
May 18, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-5163 MEDIUM
Missing authorization check in AI message rewrite endpoint allows access to private thread content
May 18, 2026
CVSS 6.5
EPSS 0.00