Go modules package
github.com/mattermost/mattermost-plugin-playbooks
pkg:golang/github.com/mattermost/mattermost-plugin-playbooks
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6343 | Med | 4.3 | < 1.41.1-0.20260309184833-887d9cacb616 | 1.41.1-0.20260309184833-887d9cacb616 | May 18, 2026 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 | |
| CVE-2026-26304 | — | < 1.41.1-0.20260316224925-705f54a81841 | 1.41.1-0.20260316224925-705f54a81841 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542 | ||
| CVE-2025-41423 | — | >= 2.0.0 | — | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks | ||
| CVE-2025-35965 | — | >= 2.0.0 | — | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions trigge | ||
| CVE-2025-41395 | — | >= 2.0.0 | — | Apr 24, 2025 | Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cau |
- affected < 1.41.1-0.20260309184833-887d9cacb616fixed 1.41.1-0.20260309184833-887d9cacb616
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591
- CVE-2026-26304Mar 16, 2026affected < 1.41.1-0.20260316224925-705f54a81841fixed 1.41.1-0.20260316224925-705f54a81841
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
- CVE-2025-41423Apr 24, 2025affected >= 2.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing actions created by the Playbooks
- CVE-2025-35965Apr 24, 2025affected >= 2.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an excessive number of actions trigge
- CVE-2025-41395Apr 24, 2025affected >= 2.0.0
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with maliciously crafted props and cau