Desktop
by Mattermost
Source repositories
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-8683 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost… | ||
| CVE-2026-3471 | Med | 0.42 | 6.5 | 0.00 | May 18, 2026 | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}.… | ||
| CVE-2026-6517 | Med | 0.41 | 6.3 | 0.00 | Jun 15, 2026 | Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via… | ||
| CVE-2026-1628 | 0.00 | — | 0.00 | Mar 2, 2026 | Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their… | |||
| CVE-2026-1046 | 0.00 | — | 0.00 | Feb 16, 2026 | Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577 | |||
| CVE-2025-13326 | 0.00 | — | 0.00 | Dec 17, 2025 | Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder. | |||
| CVE-2025-13321 | 0.00 | — | 0.00 | Dec 17, 2025 | Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs. | |||
| CVE-2025-55035 | 0.00 | — | 0.00 | Oct 16, 2025 | Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the user to deny use of the… | |||
| CVE-2025-58084 | 0.00 | — | 0.00 | Oct 13, 2025 | Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL. | |||
| CVE-2023-5875 | 0.00 | — | 0.00 | Nov 2, 2023 | Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server | |||
| CVE-2023-5339 | 0.00 | — | 0.00 | Oct 17, 2023 | Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. | |||
| CVE-2023-2000 | 0.00 | — | 0.00 | May 2, 2023 | Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website | |||
| CVE-2016-11064 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection. | |||
| CVE-2018-21265 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications). | |||
| CVE-2019-20861 | 0.00 | — | 0.02 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link. | |||
| CVE-2019-20856 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection. | |||
| CVE-2020-14456 | 0.00 | — | 0.00 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006. | |||
| CVE-2020-14455 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007. | |||
| CVE-2020-14454 | 0.00 | — | 0.01 | Jun 19, 2020 | An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008. |
- risk 0.42cvss 6.5epss 0.00
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost…
- risk 0.42cvss 6.5epss 0.00
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}.…
- risk 0.41cvss 6.3epss 0.00
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via…
- CVE-2026-1628Mar 2, 2026risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their…
- CVE-2026-1046Feb 16, 2026risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
- CVE-2025-13326Dec 17, 2025risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.
- CVE-2025-13321Dec 17, 2025risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.
- CVE-2025-55035Oct 16, 2025risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the user to deny use of the…
- CVE-2025-58084Oct 13, 2025risk 0.00cvss —epss 0.00
Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL.
- CVE-2023-5875Nov 2, 2023risk 0.00cvss —epss 0.00
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server
- CVE-2023-5339Oct 17, 2023risk 0.00cvss —epss 0.00
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.
- CVE-2023-2000May 2, 2023risk 0.00cvss —epss 0.00
Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website
- CVE-2016-11064Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection.
- CVE-2018-21265Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications).
- CVE-2019-20861Jun 19, 2020risk 0.00cvss —epss 0.02
An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link.
- CVE-2019-20856Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.
- CVE-2020-14456Jun 19, 2020risk 0.00cvss —epss 0.00
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
- CVE-2020-14455Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007.
- CVE-2020-14454Jun 19, 2020risk 0.00cvss —epss 0.01
An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008.