VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (161)

  • CVE-2026-6347HigMay 18, 2026
    affected >= 11.5.0, < 11.5.2fixed 11.5.2

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present i

  • CVE-2026-6346HigMay 18, 2026
    affected < 5.3.2-0.20260326202606-fac92f4a71f3fixed 5.3.2-0.20260326202606-fac92f4a71f3

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive

  • CVE-2026-6345MedMay 18, 2026
    affected < 5.3.2-0.20260311102650-3057ae7e83e9fixed 5.3.2-0.20260311102650-3057ae7e83e9

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614

  • CVE-2026-6339MedMay 18, 2026
    affected < 5.3.2-0.20260327001745-7a339a6438f5fixed 5.3.2-0.20260327001745-7a339a6438f5

    Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown imag

  • CVE-2026-6333LowMay 18, 2026
    affected < 5.3.2-0.20260325160634-e738016c5920fixed 5.3.2-0.20260325160634-e738016c5920

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host head

  • CVE-2026-5163MedMay 18, 2026
    affected < 5.3.2-0.20260401090745-f4d1abe7e8f5fixed 5.3.2-0.20260401090745-f4d1abe7e8f5

    Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to th

  • CVE-2026-4273LowMay 18, 2026
    affected < 5.3.2-0.20260313190740-742e0be95074fixed 5.3.2-0.20260313190740-742e0be95074

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token

  • CVE-2026-2325MedMay 18, 2026
    affected >= 11.5.0, < 11.5.2fixed 11.5.2

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST req

  • CVE-2026-28759MedMay 18, 2026
    affected < 5.3.2-0.20260216150504-8738f8c4b3d4fixed 5.3.2-0.20260216150504-8738f8c4b3d4

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any us

  • CVE-2026-3590MedApr 15, 2026
    affected >= 10.11.0-rc1, < 10.11.13fixed 10.11.13

    Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessi

  • CVE-2026-27769LowApr 15, 2026
    affected >= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f9fixed 8.0.0-20260316060126-bc1a2b34b1f9

    Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected

  • CVE-2026-3113Mar 26, 2026
    affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1

    Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593

  • CVE-2026-27656Mar 25, 2026
    affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1

    Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring

  • CVE-2026-26233Mar 25, 2026
    affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1

    Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel l

  • CVE-2026-24692Mar 16, 2026
    affected < 5.3.2-0.20260107142155-0481bd1fb045fixed 5.3.2-0.20260107142155-0481bd1fb045

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: M

  • CVE-2026-22545Mar 16, 2026
    affected < 5.3.2-0.20260127144908-ced9a56e3988fixed 5.3.2-0.20260127144908-ced9a56e3988

    Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Adviso

  • CVE-2026-2455Mar 16, 2026
    affected < 5.3.2-0.20260129133647-5d787969c2d5fixed 5.3.2-0.20260129133647-5d787969c2d5

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.

  • CVE-2026-21386Mar 16, 2026
    affected < 5.3.2-0.20260130144323-5bb5261c72fafixed 5.3.2-0.20260130144323-5bb5261c72fa

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error mes

  • CVE-2026-25780Mar 16, 2026
    affected < 5.3.2-0.20260123215601-86797c508c44fixed 5.3.2-0.20260123215601-86797c508c44

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Matter

  • CVE-2026-4265Mar 16, 2026
    affected < 5.3.2-0.20260107144005-c7f6efdfb035fixed 5.3.2-0.20260107144005-c7f6efdfb035

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission a

Page 1 of 9