Go modules package
github.com/mattermost/mattermost-plugin-msteams
pkg:golang/github.com/mattermost/mattermost-plugin-msteams
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-24661 | Low | 3.7 | < 1.15.1-0.20260213190728-6fe4d295592e | 1.15.1-0.20260213190728-6fe4d295592e | Apr 9, 2026 | Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611 | |
| CVE-2026-21388 | Low | 3.7 | < 1.15.1-0.20260213190728-6fe4d295592e | 1.15.1-0.20260213190728-6fe4d295592e | Apr 9, 2026 | Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610 | |
| CVE-2026-2476 | — | < 1.15.1-0.20260102165339-036c761bd3cb | 1.15.1-0.20260102165339-036c761bd3cb | Mar 16, 2026 | Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606 | ||
| CVE-2025-27936 | — | < 2.1.0 | 2.1.0 | Apr 16, 2025 | Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via |
- affected < 1.15.1-0.20260213190728-6fe4d295592efixed 1.15.1-0.20260213190728-6fe4d295592e
Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611
- affected < 1.15.1-0.20260213190728-6fe4d295592efixed 1.15.1-0.20260213190728-6fe4d295592e
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
- CVE-2026-2476Mar 16, 2026affected < 1.15.1-0.20260102165339-036c761bd3cbfixed 1.15.1-0.20260102165339-036c761bd3cb
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
- CVE-2025-27936Apr 16, 2025affected < 2.1.0fixed 2.1.0
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via