VYPR

Go modules package

github.com/mattermost/mattermost-server/v5

pkg:golang/github.com/mattermost/mattermost-server/v5

Vulnerabilities (17)

  • CVE-2025-11776Nov 14, 2025
    affected < 5.3.2-0.20250815165020-c8d66301415dfixed 5.3.2-0.20250815165020-c8d66301415d

    Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

  • CVE-2025-11777Nov 13, 2025
    affected < 5.3.2-0.20250905150616-ba86dfc5876bfixed 5.3.2-0.20250905150616-ba86dfc5876b

    Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

  • CVE-2025-8402Aug 21, 2025
    affected <= 5.39.3

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

  • CVE-2025-47870Aug 21, 2025
    affected <= 5.39.3

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

  • CVE-2025-49222Aug 21, 2025
    affected <= 5.39.3

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potential

  • CVE-2025-8023Aug 21, 2025
    affected <= 5.39.5

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enab

  • CVE-2025-53971Aug 21, 2025
    affected <= 5.39.3

    Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

  • CVE-2025-36530Aug 21, 2025
    affected <= 5.11.1

    Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionali

  • CVE-2024-39837Aug 1, 2024
    affected < 5.3.2-0.20240626164322-c758cecaf30cfixed 5.3.2-0.20240626164322-c758cecaf30c

    Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.

  • CVE-2024-28053Mar 15, 2024
    affected < 0.0.0-20240209181221-674f549daf0efixed 0.0.0-20240209181221-674f549daf0e

    Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

  • CVE-2023-5968Nov 6, 2023
    affected < 5.3.2-0.20230825233148-f787fd63368afixed 5.3.2-0.20230825233148-f787fd63368a

    Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. 

  • CVE-2023-1776Mar 31, 2023
    affected >= 5.0.0, < 7.1.6fixed 7.1.6

    Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.

  • CVE-2023-1775Mar 31, 2023
    affected >= 5.0.0, < 7.1.6fixed 7.1.6

    When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.

  • CVE-2023-1774Mar 31, 2023
    affected >= 5.0.0, < 7.1.6fixed 7.1.6

    When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.

  • CVE-2022-1332Apr 13, 2022
    affected < 5.37.9fixed 5.37.9

    One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents.

  • CVE-2021-37860Sep 22, 2021
    affected < 5.39.0fixed 5.39.0

    Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.

  • CVE-2020-14457Jun 19, 2020
    affected < 5.20.0fixed 5.20.0

    An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the update_team WebSocket event, aka MMSA-2020-0012.