VYPR

Go modules package

github.com/mattermost/mattermost-server

pkg:golang/github.com/mattermost/mattermost-server

Vulnerabilities (161)

  • CVE-2025-9076Sep 15, 2025
    affected >= 10.10.0, < 10.10.2fixed 10.10.2

    Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Matterm

  • CVE-2025-8402Aug 21, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.

  • CVE-2025-6465Aug 21, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.

  • CVE-2025-47870Aug 21, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.

  • CVE-2025-49222Aug 21, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potential

  • CVE-2025-8023Aug 21, 2025
    affected >= 10.8.0, < 10.8.4fixed 10.8.4

    Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enab

  • CVE-2025-53971Aug 21, 2025
    affected >= 10.5.0, < 10.5.9fixed 10.5.9

    Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

  • CVE-2025-47700Aug 21, 2025
    affected >= 10.5.0, < 10.5.10fixed 10.5.10

    Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

  • CVE-2025-49810Aug 21, 2025
    affected >= 10.5.0, < 10.5.9fixed 10.5.9

    Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts

  • CVE-2025-36530Aug 21, 2025
    affected >= 10.9.0, < 10.9.2fixed 10.9.2

    Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionali

  • CVE-2025-6227Jul 18, 2025
    affected >= 10.5.0, < 10.5.8fixed 10.5.8

    Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.

  • CVE-2025-6233Jul 18, 2025
    affected >= 10.8.0, < 10.8.2fixed 10.8.2

    Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.

  • CVE-2025-6226Jul 18, 2025
    affected >= 10.5.0, < 10.5.7fixed 10.5.7

    Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the P

  • CVE-2025-47871Jun 30, 2025
    affected < 0.0.0-20250513065225-4ae5d647fb88fixed 0.0.0-20250513065225-4ae5d647fb88

    Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to acces

  • CVE-2025-46702Jun 30, 2025
    affected < 0.0.0-20250513065225-4ae5d647fb88fixed 0.0.0-20250513065225-4ae5d647fb88

    Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to

  • CVE-2025-3228Jun 20, 2025
    affected < 0.0.0-20250520060012-d0380305ef7afixed 0.0.0-20250520060012-d0380305ef7a

    Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.

  • CVE-2025-3227Jun 20, 2025
    affected < 0.0.0-20250520060012-d0380305ef7afixed 0.0.0-20250520060012-d0380305ef7a

    Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or re

  • CVE-2025-4981Jun 20, 2025
    affected < 0.0.0-20250519205859-65aec10162f6fixed 0.0.0-20250519205859-65aec10162f6

    Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with p

  • CVE-2025-4128Jun 11, 2025
    affected >= 10.5.0, < 10.5.5fixed 10.5.5

    Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

  • CVE-2025-4573Jun 11, 2025
    affected >= 10.7.0, < 10.7.2fixed 10.7.2

    Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter inje

Page 4 of 9