VYPR

Mattermost

by Mattermost

Source repositories

CVEs (476)

  • CVE-2026-6341MedMay 18, 2026
    risk 0.28cvss 4.3epss 0.00

    Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost…

  • CVE-2026-6046MedJun 12, 2026
    risk 0.27cvss 5.3epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via…

  • CVE-2026-5308MedMay 22, 2026
    risk 0.25cvss 4.9epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID:…

  • CVE-2026-6689MedJun 12, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated…

  • CVE-2026-3433MedJun 12, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe…

  • CVE-2026-4646MedMay 22, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint..…

  • CVE-2026-3636MedMay 22, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking…

  • CVE-2026-4055MedMay 21, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run…

  • CVE-2026-6343MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591

  • CVE-2026-6339MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown…

  • CVE-2026-28732MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system…

  • CVE-2026-6340MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with…

  • CVE-2026-3637MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests…

  • CVE-2026-2325MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST…

  • CVE-2026-28759MedMay 18, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any…

  • CVE-2026-4054MedMay 15, 2026
    risk 0.21cvss 4.3epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header…

  • CVE-2026-3495LowMay 18, 2026
    risk 0.18cvss 3.8epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as…

  • CVE-2026-4273LowMay 18, 2026
    risk 0.17cvss 3.7epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token…

  • CVE-2026-24661LowApr 9, 2026
    risk 0.17cvss 3.7epss 0.00

    Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611

  • CVE-2026-21388LowApr 9, 2026
    risk 0.17cvss 3.7epss 0.00

    Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610

Page 2 of 24