VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (161)

  • CVE-2025-12559Nov 27, 2025
    affected >= 11.0.0, < 11.0.3fixed 11.0.3

    Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/comm

  • CVE-2025-12419Nov 27, 2025
    affected >= 10.12.0, < 10.12.2fixed 10.12.2

    Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via m

  • CVE-2025-55074Nov 18, 2025
    affected >= 10.11.0, < 10.11.4fixed 10.11.4

    Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects

  • CVE-2025-11794Nov 14, 2025
    affected >= 10.11.0, < 10.11.4fixed 10.11.4

    Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint

  • CVE-2025-55073Nov 14, 2025
    affected >= 10.11.0, < 10.11.4fixed 10.11.4

    Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.

  • CVE-2025-55070Nov 14, 2025
    affected < 11.1.0fixed 11.1.0

    Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events

  • CVE-2025-41436Nov 14, 2025
    affected < 11.0.0-alpha.1fixed 11.0.0-alpha.1

    Mattermost versions <11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archived channel content and files via the "Open in Channel" functionality from followed threads

  • CVE-2025-11776Nov 14, 2025
    affected < 5.3.2-0.20250815165020-c8d66301415dfixed 5.3.2-0.20250815165020-c8d66301415d

    Mattermost versions <11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint

  • CVE-2025-11777Nov 13, 2025
    affected >= 10.11.0, < 10.11.4fixed 10.11.4

    Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint

  • CVE-2025-58073Oct 16, 2025
    affected >= 10.11.0, < 10.11.2fixed 10.11.2

    Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati

  • CVE-2025-41410Oct 16, 2025
    affected >= 10.10.0, < 10.10.3fixed 10.10.3

    Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based te

  • CVE-2025-10545Oct 16, 2025
    affected >= 10.5.0, < 10.5.11fixed 10.5.11

    Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint

  • CVE-2025-58075Oct 16, 2025
    affected >= 10.11.0, < 10.11.2fixed 10.11.2

    Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulati

  • CVE-2025-54499Oct 16, 2025
    affected >= 10.5.0, < 10.5.11fixed 10.5.11

    Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth clie

  • CVE-2025-41443Oct 16, 2025
    affected >= 10.5.0, < 10.5.11fixed 10.5.11

    Mattermost versions 10.5.x <= 10.5.12, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint

  • CVE-2025-9081Sep 19, 2025
    affected >= 10.5.0-rc1, < 10.5.9fixed 10.5.9

    Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration

  • CVE-2025-9079Sep 19, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

  • CVE-2025-9072Sep 15, 2025
    affected >= 10.10.0, < 10.10.2fixed 10.10.2

    Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled

  • CVE-2025-9084Sep 15, 2025
    affected >= 10.5.0, < 10.5.10fixed 10.5.10

    Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs

  • CVE-2025-9078Sep 15, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks

Page 3 of 9