Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 418

Browse all 418 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Found 388 results / 418Clear Filters
Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-6957 Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write. — MattermostCWE-22 8.0 High2026-05-27
CVE-2026-4915 Server panic via outgoing webhook responses — MattermostCWE-754 6.5 Medium2026-05-25
CVE-2026-28735 GitHub OAuth Scope Validation — MattermostCWE-863 5.4 Medium2026-05-22
CVE-2026-4635 Persistent notification timing attack causing server denial of service — MattermostCWE-362 6.5 Medium2026-05-22
CVE-2026-3473 Improper file ownership validation in the Boards API allows unauthorised file access — MattermostCWE-639 5.9 Medium2026-05-22
CVE-2026-4646 Insufficient input validation in GitHub plugin API causes denial of service — MattermostCWE-1287 4.3 Medium2026-05-22
CVE-2026-3636 Sanitize team member data returned by API — MattermostCWE-200 4.3 Medium2026-05-22
CVE-2026-5740 Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server — MattermostCWE-789 7.5 High2026-05-22
CVE-2026-5308 Missing request body size limits on Zoom plugin HTTP endpoints — MattermostCWE-400 4.9 Medium2026-05-22
CVE-2026-5755 Denial of service via crafted TIFF file upload — MattermostCWE-400 6.5 Medium2026-05-22
CVE-2026-22880 Mobile SSO authentication flow allows credential theft via malicious server — MattermostCWE-352 6.1 Medium2026-05-21
CVE-2026-4858 Path traversal in integration action URL leading to arbitrary API execution via system admin’s auth token. — MattermostCWE-22 8.0 High2026-05-21
CVE-2026-4055 Insufficient permission validation on cross-team playbook run creation — MattermostCWE-863 4.3 Medium2026-05-21
CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App — MattermostCWE-939 6.5 Medium2026-05-18
CVE-2026-4643 Calling window.close() from server-side content causes crash in the Mattermost Desktop App — MattermostCWE-754 3.5 Low2026-05-18
CVE-2026-6333 SSRF via Host Header Spoofing in Custom Slash Commands — MattermostCWE-918 3.5 Low2026-05-18
CVE-2026-6345 Prevent password disclosure and force reset during Slack import — MattermostCWE-522 6.5 Medium2026-05-18
CVE-2026-6346 Sensitive credentials exposed in plaintext in Mattermost support packets — MattermostCWE-200 8.7 High2026-05-18
CVE-2026-28732 Slash command trigger-word update allowed command hijacking — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6343 Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing unauthorized access to public playbooks — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6347 Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets — MattermostCWE-200 7.6 High2026-05-18
CVE-2026-5163 Missing authorization check in AI message rewrite endpoint allows access to private thread content — MattermostCWE-862 6.5 Medium2026-05-18
CVE-2026-3117 Instance and webhook GitLab plugin commands were able to be run by non-admin users — MattermostCWE-862 6.5 Medium2026-05-18
CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update — MattermostCWE-863 3.1 Low2026-05-18
CVE-2026-6339 Missing request origin validation on burn-on-read reveal endpoint — MattermostCWE-346 4.3 Medium2026-05-18
CVE-2026-6340 Memory Exhaustion via Malicious 7zip File Upload — MattermostCWE-789 4.3 Medium2026-05-18
CVE-2026-6341 Incomplete group locking implementation — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-6342 Group prefix matching bypass for subscriptions — MattermostCWE-863 4.3 Medium2026-05-18
CVE-2026-3495 Unescaped variables during error page composition — MattermostCWE-79 3.8 Low2026-05-18
CVE-2026-4273 Insufficient token rotation validation in remote cluster invite confirmation — MattermostCWE-863 3.7 Low2026-05-18

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.