VYPR

Go modules package

github.com/mattermost/mattermost-plugin-playbooks

pkg:golang/github.com/mattermost/mattermost-plugin-playbooks

Vulnerabilities (5)

  • CVE-2026-6343MedMay 18, 2026
    affected < 1.41.1-0.20260309184833-887d9cacb616fixed 1.41.1-0.20260309184833-887d9cacb616

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591

  • CVE-2026-26304Mar 16, 2026
    affected < 1.41.1-0.20260316224925-705f54a81841fixed 1.41.1-0.20260316224925-705f54a81841

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542

  • CVE-2025-41423Apr 24, 2025
    affected >= 2.0.0

    Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks

  • CVE-2025-35965Apr 24, 2025
    affected >= 2.0.0

    Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions trigge

  • CVE-2025-41395Apr 24, 2025
    affected >= 2.0.0

    Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cau