VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (152)

  • CVE-2026-3590MedApr 15, 2026
    affected >= 10.11.0-rc1, < 10.11.13fixed 10.11.13

    Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple independent authenticated sessi

  • CVE-2026-27769LowApr 15, 2026
    affected >= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260316060126-bc1a2b34b1f9fixed 8.0.0-20260316060126-bc1a2b34b1f9

    Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected

  • CVE-2026-3113Mar 26, 2026
    affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1

    Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593

  • CVE-2026-27656Mar 25, 2026
    affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1

    Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring

  • CVE-2026-26233Mar 25, 2026
    affected >= 11.4.0-rc1, < 11.4.1fixed 11.4.1

    Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel l

  • CVE-2026-24692Mar 16, 2026
    affected < 5.3.2-0.20260107142155-0481bd1fb045fixed 5.3.2-0.20260107142155-0481bd1fb045

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: M

  • CVE-2026-22545Mar 16, 2026
    affected < 5.3.2-0.20260127144908-ced9a56e3988fixed 5.3.2-0.20260127144908-ced9a56e3988

    Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Adviso

  • CVE-2026-2455Mar 16, 2026
    affected < 5.3.2-0.20260129133647-5d787969c2d5fixed 5.3.2-0.20260129133647-5d787969c2d5

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.

  • CVE-2026-21386Mar 16, 2026
    affected < 5.3.2-0.20260130144323-5bb5261c72fafixed 5.3.2-0.20260130144323-5bb5261c72fa

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error mes

  • CVE-2026-25780Mar 16, 2026
    affected < 5.3.2-0.20260123215601-86797c508c44fixed 5.3.2-0.20260123215601-86797c508c44

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Matter

  • CVE-2026-4265Mar 16, 2026
    affected < 5.3.2-0.20260107144005-c7f6efdfb035fixed 5.3.2-0.20260107144005-c7f6efdfb035

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission a

  • CVE-2026-25783Mar 16, 2026
    affected < 5.3.2-0.20260129181235-1346cf529aeffixed 5.3.2-0.20260129181235-1346cf529aef

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586

  • CVE-2026-24458Mar 16, 2026
    affected < 5.3.2-0.20260129164748-7201f42d955ffixed 5.3.2-0.20260129164748-7201f42d955f

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00

  • CVE-2026-2578Mar 16, 2026
    affected < 5.3.2-0.20260127062706-c6b205f0d770fixed 5.3.2-0.20260127062706-c6b205f0d770

    Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

  • CVE-2026-26246Mar 16, 2026
    affected < 5.3.2-0.20260115183946-38b413a27604fixed 5.3.2-0.20260115183946-38b413a27604

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. M

  • CVE-2026-2458Mar 16, 2026
    affected < 5.3.2-0.20260113182106-a18b80ba4c32fixed 5.3.2-0.20260113182106-a18b80ba4c32

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost

  • CVE-2026-2457Mar 16, 2026
    affected < 5.3.2-0.20260123211116-9efe617be8b8fixed 5.3.2-0.20260123211116-9efe617be8b8

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Matterm

  • CVE-2026-2463Mar 16, 2026
    affected < 5.3.2-0.20260105134819-cc427af41b2afixed 5.3.2-0.20260105134819-cc427af41b2a

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Matter

  • CVE-2026-2456Mar 16, 2026
    affected < 5.3.2-0.20260127165411-fe3052073dc6fixed 5.3.2-0.20260127165411-fe3052073dc6

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integratio

  • CVE-2025-14573Feb 16, 2026
    affected >= 11.1.0

    Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

Page 1 of 8