Go modules package

github.com/mattermost/mattermost-server/v6

pkg:golang/github.com/mattermost/mattermost-server/v6

Vulnerabilities (47)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-11776	—	< 5.3.2-0.20250815165020-c8d66301415d	5.3.2-0.20250815165020-c8d66301415d	Nov 14, 2025	Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVE-2025-11777	—	< 5.3.2-0.20250905150616-ba86dfc5876b	5.3.2-0.20250905150616-ba86dfc5876b	Nov 13, 2025	Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
CVE-2025-8402	—	<= 6.7.2	—	Aug 21, 2025	Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
CVE-2025-47870	—	<= 6.7.2	—	Aug 21, 2025	Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
CVE-2025-49222	—	<= 5.7.2	—	Aug 21, 2025	Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potential
CVE-2025-8023	—	<= 6.7.2	—	Aug 21, 2025	Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enab
CVE-2025-53971	—	<= 6.7.2	—	Aug 21, 2025	Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.
CVE-2025-36530	—	<= 6.7.2	—	Aug 21, 2025	Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionali
CVE-2024-39837	—	< 6.0.0-20240626164322-c758cecaf30c	6.0.0-20240626164322-c758cecaf30c	Aug 1, 2024	Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
CVE-2024-28053	—	< 0.0.0-20240209181221-674f549daf0e	0.0.0-20240209181221-674f549daf0e	Mar 15, 2024	Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
CVE-2023-47858	—	< 7.8.10	7.8.10	Jan 2, 2024	Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted endpoint.
CVE-2023-48732	—	< 8.1.7	8.1.7	Jan 2, 2024	Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
CVE-2023-6459	—	< 7.8.14	7.8.14	Dec 6, 2023	Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
CVE-2023-6458	—	< 7.8.14	7.8.14	Dec 6, 2023	Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.
CVE-2023-47168	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=
CVE-2023-6202	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.
CVE-2023-43754	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled.
CVE-2023-48369	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.
CVE-2023-35075	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.
CVE-2023-40703	—	< 7.8.13	7.8.13	Nov 27, 2023	Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.

CVE-2025-11776Nov 14, 2025
affected < 5.3.2-0.20250815165020-c8d66301415dfixed 5.3.2-0.20250815165020-c8d66301415d
Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint
CVE-2025-11777Nov 13, 2025
affected < 5.3.2-0.20250905150616-ba86dfc5876bfixed 5.3.2-0.20250905150616-ba86dfc5876b
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint
CVE-2025-8402Aug 21, 2025
affected <= 6.7.2
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.
CVE-2025-47870Aug 21, 2025
affected <= 6.7.2
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.
CVE-2025-49222Aug 21, 2025
affected <= 5.7.2
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potential
CVE-2025-8023Aug 21, 2025
affected <= 6.7.2
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enab
CVE-2025-53971Aug 21, 2025
affected <= 6.7.2
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.
CVE-2025-36530Aug 21, 2025
affected <= 6.7.2
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionali
CVE-2024-39837Aug 1, 2024
affected < 6.0.0-20240626164322-c758cecaf30cfixed 6.0.0-20240626164322-c758cecaf30c
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.
CVE-2024-28053Mar 15, 2024
affected < 0.0.0-20240209181221-674f549daf0efixed 0.0.0-20240209181221-674f549daf0e
Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.
CVE-2023-47858Jan 2, 2024
affected < 7.8.10fixed 7.8.10
Mattermost fails to properly verify the permissions needed for viewing archived public channels, allowing a member of one team to get details about the archived public channels of another team via the GET /api/v4/teams//channels/deleted endpoint.
CVE-2023-48732Jan 2, 2024
affected < 8.1.7fixed 8.1.7
Mattermost fails to scope the WebSocket response around notified users to a each user separately resulting in the WebSocket broadcasting the information about who was notified about a post to everyone else in the channel.
CVE-2023-6459Dec 6, 2023
affected < 7.8.14fixed 7.8.14
Mattermost is grouping calls in the /metrics endpoint by id and reports that id in the response. Since this id is the channelID, the public /metrics endpoint is revealing channelIDs.
CVE-2023-6458Dec 6, 2023
affected < 7.8.14fixed 7.8.14
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal.
CVE-2023-47168Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to properly check a redirect URL parameter allowing for an open redirect was possible when the user clicked "Back to Mattermost" after providing a invalid custom url scheme in /oauth/{service}/mobile_login?redirect_to=
CVE-2023-6202Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to perform proper authorization in the /plugins/focalboard/api/v2/users endpoint allowing an attacker who is a guest user and knows the ID of another user to get their information (e.g. name, surname, nickname) via Mattermost Boards.
CVE-2023-43754Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to check whether the “Allow users to view archived channels” setting is enabled during permalink previews display, allowing members to view permalink previews of archived channels even if the “Allow users to view archived channels” setting is disabled.
CVE-2023-48369Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to limit the log size of server logs allowing an attacker sending specially crafted requests to different endpoints to potentially overflow the log.
CVE-2023-35075Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though.
CVE-2023-40703Nov 27, 2023
affected < 7.8.13fixed 7.8.13
Mattermost fails to properly limit the characters allowed in different fields of a block in Mattermost Boards allowing a attacker to consume excessive resources, possibly leading to Denial of Service, by patching the field of a block using a specially crafted string.

Page 1 of 3