VYPR
Vendor

Mattermost

Mattermost is an open-source, self-hostable online chat service with file sharing, search, and third-party application integrations. It is designed as an internal chat for organisations and companies, and mostly markets itself as an open-source alternative to Slack and Microsoft Teams.

Products
20
CVEs
523
Across products
563
Status
Private

Products

20

Recent CVEs

523
View all 523 CVEs →
  • CVE-2026-3524HigApr 6, 2026
    risk 0.57cvss 8.8epss 0.00

    Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints.…

  • CVE-2026-25773HigApr 3, 2026
    risk 0.53cvss 8.1epss 0.00

    ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and…

  • CVE-2026-6957HigMay 27, 2026
    risk 0.52cvss 8.0epss 0.00

    Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target…

  • CVE-2026-7387HigJun 12, 2026
    risk 0.50cvss 8.8epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link…

  • CVE-2026-6346HigMay 18, 2026
    risk 0.50cvss 8.7epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive…

  • CVE-2026-4858HigMay 21, 2026
    risk 0.45cvss 8.0epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal…

  • CVE-2026-8683MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a very large URL. Mattermost…

  • CVE-2026-6961HigJun 12, 2026
    risk 0.42cvss 7.6epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to…

  • CVE-2026-5740HigMay 22, 2026
    risk 0.42cvss 7.5epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service…

  • CVE-2026-6347HigMay 18, 2026
    risk 0.42cvss 7.6epss 0.00

    Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present…

  • CVE-2026-3471MedMay 18, 2026
    risk 0.42cvss 6.5epss 0.00

    Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}.…

  • CVE-2026-3117MedMay 18, 2026
    risk 0.42cvss 6.5epss 0.00

    Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab…

  • CVE-2026-6517MedJun 15, 2026
    risk 0.41cvss 6.3epss 0.00

    Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other users credentials via…

  • CVE-2026-22880MedMay 21, 2026
    risk 0.40cvss 6.1epss 0.00

    Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via…

  • CVE-2026-6739MedJun 12, 2026
    risk 0.37cvss 6.7epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate…

  • CVE-2026-28741MedApr 15, 2026
    risk 0.37cvss 6.8epss 0.00

    Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a…

  • CVE-2026-7184MedJun 12, 2026
    risk 0.35cvss 6.5epss 0.00

    Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via…

  • CVE-2026-4915MedMay 25, 2026
    risk 0.35cvss 6.5epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via…

  • CVE-2026-5755MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a…

  • CVE-2026-4635MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message…