Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Mattermost — Vulnerabilities & Security Advisories 416

All 416 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

This page aggregates common vulnerabilities and exposures associated with Mattermost, an open-source, self-hosted collaboration platform designed for secure team communication. It collects security data focusing on issues that allow unauthorized access, privilege escalation, and potential denial of service within the application or its underlying infrastructure. The data covers advisories and reported incidents from January 2020 through the present, ensuring a comprehensive view of the product's evolving security landscape. By utilizing this resource, users can efficiently track vendor advisories to stay informed about critical patches and configuration changes recommended by the Mattermost team. The structured presentation allows developers and security analysts to understand the prevalence and impact of specific weakness classes within the Mattermost ecosystem, facilitating better risk assessment and mitigation strategies. Furthermore, individuals can look up a product's vulnerability history to identify recurring patterns or persistent flaws that may require architectural adjustments or enhanced monitoring. This centralized view supports compliance efforts and helps teams prioritize remediation tasks based on the severity and relevance of past incidents. The goal is to provide transparency and actionable intelligence, enabling organizations to maintain the integrity and confidentiality of their communication channels against known threats.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2025-13321 Mattermost Desktop App logging sensitive information and fails to clear data on server deletion CWE-532 3.3 Low2025-12-17
CVE-2025-12689 DoS in Calls plugin via malformed UTF-8 in WebSocket request CWE-1287 6.5 Medium2025-12-17
CVE-2025-62690 Open redirect in error page when link opened in new tab CWE-601 3.1 Low2025-12-17
CVE-2025-13352 Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking CWE-1287 3.0 Low2025-12-17
CVE-2025-62190 CSRF Allows Call Initiation and Message Delivery CWE-352 4.3 Medium2025-12-17
CVE-2025-13870 Unauthorized access and subscription vulnerability in Boards CWE-306 3.1 Low2025-12-02
CVE-2025-12756 Insecure Direct Object Reference in Mattermost Boards Plugin Enables Unauthorised Comment Deletion CWE-863 4.3 Medium2025-12-01
CVE-2025-12421 Account Takeover via Code Exchange Endpoint CWE-303 9.9 Critical2025-11-27
CVE-2025-12559 Information Disclosure in Common Teams API CWE-200 4.3 Medium2025-11-27
CVE-2025-12419 Account takeover on OAuth/OpenID-enabled servers CWE-303 9.9 Critical2025-11-27
CVE-2025-55074 Channel member objects leak read status CWE-1426 3.0 Low2025-11-18
CVE-2025-11794 Password hash and MFA secret returned in user email verification endpoint CWE-200 4.9 Medium2025-11-14
CVE-2025-55073 MS Teams plugin OAuth allows editing arbitrary posts CWE-306 5.4 Medium2025-11-14
CVE-2025-55070 Lack of MFA enforcement in WebSocket connections CWE-306 6.5 Medium2025-11-14
CVE-2025-41436 Unauthorized access to archived channel content via threads interface CWE-863 3.1 Low2025-11-14
CVE-2025-11776 Guest user can discover archived public channels CWE-863 4.3 Medium2025-11-14
CVE-2025-59480 Inadequate validation of SSO redirect credentials permits credential theft CWE-352 6.1 Medium2025-11-13
CVE-2025-11777 Cross-team channel membership access CWE-863 3.1 Low2025-11-13
CVE-2025-55035 Mattermost Desktop DoS when user has basic authentication server configured CWE-754 6.1 Medium2025-10-16
CVE-2025-58073 Arbitrary Mattermost Team can be joined by manipulating the OAuth state CWE-862 8.1 High2025-10-16
CVE-2025-41410 Slack import bypasses email verification for team access controls CWE-862 5.4 Medium2025-10-16
CVE-2025-10545 Guest user can add unauthorized team users to private channels CWE-863 3.1 Low2025-10-16
CVE-2025-58075 Arbitrary Mattermost Team can be joined by manipulating the SAML RelayState CWE-862 8.1 High2025-10-16
CVE-2025-54499 Insecure string comparison enables timing attacks CWE-208 3.1 Low2025-10-16
CVE-2025-41443 Guest user can discover active public channels CWE-862 4.3 Medium2025-10-16
CVE-2025-58084 Mattermost Desktop App crashes when clicking on malformed external URL CWE-1287 3.5 Low2025-10-13
CVE-2025-9081 IDOR in board file download allows any user to download any file by UUID CWE-639 3.1 Low2025-09-19
CVE-2025-9079 Admin RCE via prepackaged plugins by way of misconfigured imports directory CWE-22 8.0 High2025-09-19
CVE-2025-9072 One-Click Mattermost Account Takeover via Poisoned RelayState SAML Parameter CWE-601 7.6 High2025-09-15
CVE-2025-9084 Open redirect in OAuth login CWE-601 3.1 Low2025-09-15

All 416 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.