VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (161)

  • CVE-2026-25783Mar 16, 2026
    affected < 5.3.2-0.20260129181235-1346cf529aeffixed 5.3.2-0.20260129181235-1346cf529aef

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586

  • CVE-2026-24458Mar 16, 2026
    affected < 5.3.2-0.20260129164748-7201f42d955ffixed 5.3.2-0.20260129164748-7201f42d955f

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00

  • CVE-2026-2578Mar 16, 2026
    affected < 5.3.2-0.20260127062706-c6b205f0d770fixed 5.3.2-0.20260127062706-c6b205f0d770

    Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

  • CVE-2026-26246Mar 16, 2026
    affected < 5.3.2-0.20260115183946-38b413a27604fixed 5.3.2-0.20260115183946-38b413a27604

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. M

  • CVE-2026-2458Mar 16, 2026
    affected < 5.3.2-0.20260113182106-a18b80ba4c32fixed 5.3.2-0.20260113182106-a18b80ba4c32

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost

  • CVE-2026-2457Mar 16, 2026
    affected < 5.3.2-0.20260123211116-9efe617be8b8fixed 5.3.2-0.20260123211116-9efe617be8b8

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Matterm

  • CVE-2026-2463Mar 16, 2026
    affected < 5.3.2-0.20260105134819-cc427af41b2afixed 5.3.2-0.20260105134819-cc427af41b2a

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Matter

  • CVE-2026-2456Mar 16, 2026
    affected < 5.3.2-0.20260127165411-fe3052073dc6fixed 5.3.2-0.20260127165411-fe3052073dc6

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integratio

  • CVE-2025-14573Feb 16, 2026
    affected >= 11.1.0

    Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

  • CVE-2025-14350Feb 16, 2026
    affected >= 11.1.0

    Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observ

  • CVE-2025-13821Feb 16, 2026
    affected >= 11.1.0

    Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Ad

  • CVE-2026-0999Feb 16, 2026
    affected >= 11.1.0

    Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

  • CVE-2026-20796Feb 13, 2026
    affected >= 10.11.0, < 10.11.10fixed 10.11.10

    Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MM

  • CVE-2026-22892Feb 13, 2026
    affected >= 11.2.0, < 11.2.2fixed 11.2.2

    Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels t

  • CVE-2025-14435Jan 16, 2026
    affected >= 10.11.0, < 10.11.9fixed 10.11.9

    Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

  • CVE-2025-14822Jan 16, 2026
    affected >= 10.11.0, < 10.11.9fixed 10.11.9

    Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens

  • CVE-2025-64641Dec 24, 2025
    affected >= 10.11.0, < 10.11.8fixed 10.11.8

    Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users in

  • CVE-2025-13767Dec 24, 2025
    affected >= 10.11.0, < 10.11.8fixed 10.11.8

    Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post

  • CVE-2025-13324Dec 17, 2025
    affected < 11.0.4fixed 11.0.4

    Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an in

  • CVE-2025-12421CriNov 27, 2025
    affected >= 11.0.0, < 11.0.3fixed 11.0.3

    Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specia

Page 2 of 9