mattermost

607 tracked vulnerabilities.

CVE-2026-4643 LOW
Calling window.close() from server-side content causes crash in the Mattermost Desktop App
May 18, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-4286 LOW
Mattermost Playbooks Plugin - Unauthorized Team Transfer
May 18, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-3471 MEDIUM
Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App
May 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-3117 MEDIUM
Instance and webhook GitLab plugin commands were able to be run by non-admin users
May 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-28732 MEDIUM
Mattermost 10.11.0-10.11.13 11.4.0-11.4.3 11.5.0-11.5.1 - Slash Command Hijacking via Trigger-Word Bypass
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6342 MEDIUM
Mattermost Plugins - Incorrect Authorization via Namespace Prefix Bypass
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6341 MEDIUM
Mattermost Plugins - Incorrect Authorization via Direct API Requests
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6340 MEDIUM
Mattermost 10.11.0-10.11.13 11.4.0-11.4.3 11.5.0-11.5.1 - Authenticated Denial of Service via 7zip Archive Processing
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6334 LOW
OAuth authorization code client binding not enforced during token redemption in Mattermost
May 18, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-4273 LOW
Insufficient token rotation validation in remote cluster invite confirmation
May 18, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-3637 MEDIUM
Mattermost fails to enforce create_post permission when editing posts
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-3495 LOW
Mattermost 10.11.0-10.11.13 and 11.5.0-11.5.1 - Stored Cross-Site Scripting in Error Page Configuration
May 18, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-2325 MEDIUM
Improper Input Validation in MS Teams Meetings API Handler
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-28759 MEDIUM
Mattermost Shared Channel Sync - Unauthorized Member Removal
May 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4054 MEDIUM
SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service
May 15, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4053 LOW
post edit time limit is not enforced on some post update operations
May 15, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-3590 MEDIUM
Race Condition in Guest Magic Link Authentication Allows Token Reuse
Apr 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-28741 MEDIUM
CSRF Protection Bypass Allows Updating a User's Authentication Method
Apr 15, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-27769 LOW
Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Apr 15, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-24661 LOW
Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint
Apr 09, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-21388 LOW
Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint
Apr 09, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-3524 HIGH
Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check
Apr 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-28736 MEDIUM
Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix)
Apr 03, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-25773 HIGH
Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix)
Apr 03, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-3116 MEDIUM
Improper Input Validation in Zoom Plugin Webhook Handler
Mar 26, 2026
CVSS 4.9
EPSS 0.00