VYPR

Mattermost Plugin API

by Mattermost

Source repositories

CVEs (6)

  • CVE-2026-6957HigMay 27, 2026
    risk 0.52cvss 8.0epss 0.00

    Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target…

  • CVE-2024-2445MedMar 15, 2024
    risk 0.40cvss 6.1epss 0.00

    Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacker to perform reflected cross-site…

  • CVE-2026-3116MedMar 26, 2026
    risk 0.32cvss 4.9epss 0.00

    Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589

  • CVE-2026-6341MedMay 18, 2026
    risk 0.28cvss 4.3epss 0.00

    Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost…

  • CVE-2023-3613LowJul 17, 2023
    risk 0.23cvss 3.5epss 0.00

    Mattermost WelcomeBot plugin fails to to validate the membership status when inviting or adding users to channels allowing guest accounts to be added or invited to channels by default.

  • CVE-2026-3109LowMar 26, 2026
    risk 0.14cvss 2.2epss 0.00

    Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584