Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 408

Browse all 408 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Found 378 results / 408Clear Filters
Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2024-1402 Denial of service in mattermost mobile apps and server via emoji reactions — MattermostCWE-400 4.3 Medium2024-02-09
CVE-2024-24776 Incorrect Authorization leads to Channel Member Count Leak — MattermostCWE-284 3.1 Low2024-02-09
CVE-2024-24774 Missing authorization allows users to access arbitrary security levels on Jira through webhooks (Jira Plugin) — MattermostCWE-863 3.4 Low2024-02-09
CVE-2024-23319 CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin) — MattermostCWE-352 3.5 Low2024-02-09
CVE-2023-47858 Details of archived public channels are leaked to members of another team — MattermostCWE-284 4.3 Medium2024-01-02
CVE-2023-50333 Lack of restriction to manage group names for freshly demoted guests — MattermostCWE-284 3.7 Low2024-01-02
CVE-2023-48732 Keywords that trigger mentions are leaked to other users — MattermostCWE-200 4.3 Medium2024-01-02
CVE-2023-7114 Mattermost 安全漏洞 — MattermostCWE-74 7.1 High2023-12-29
CVE-2023-7113 Mattermost 安全漏洞 — MattermostCWE-79 3.7 Low2023-12-29
CVE-2023-6727 Leak Inaccessible Playbook Information via Channel Action IDOR — MattermostCWE-200 3.1 Low2023-12-12
CVE-2023-45316 Reflected client side path traversal leading to CSRF in Playbooks — MattermostCWE-352 7.3 High2023-12-12
CVE-2023-6547 Playbooks access/modification by removed team member — MattermostCWE-284 3.7 Low2023-12-12
CVE-2023-49607 Playbook plugin crash via missing interface type assertion — MattermostCWE-754 4.3 Medium2023-12-12
CVE-2023-49809 Todo plugin gets crashed and disabled by member — MattermostCWE-400 4.3 Medium2023-12-12
CVE-2023-46701 Inaccessible Post Information Leak via Run Timeline IDOR — MattermostCWE-200 6.5 Medium2023-12-12
CVE-2023-49874 IDOR when updating the tasks of a private playbook run — MattermostCWE-284 4.3 Medium2023-12-12
CVE-2023-45847 Playbook Plugin Crash via Run Checklist — MattermostCWE-400 4.3 Medium2023-12-12
CVE-2023-6459 Public endpoint /metrics of Calls plugin reveals channel IDs — MattermostCWE-200 5.3 Medium2023-12-06
CVE-2023-6458 Client side path traversal due to lack of route parameters validation — MattermostCWE-74 7.1 High2023-12-06
CVE-2023-47168 Open redirect in /oauth/<service>/mobile_login?redirect_to= — MattermostCWE-601 4.3 Medium2023-11-27
CVE-2023-6202 Insecure Direct Object Reference in /plugins/focalboard/ api/v2/users of Mattermost Boards — MattermostCWE-284 4.3 Medium2023-11-27
CVE-2023-43754 Permalink previews displayed for posts in archived channels even if users are disallowed to view archived channels — MattermostCWE-200 4.3 Medium2023-11-27
CVE-2023-48369 Log Flooding due to specially crafted requests in different endpoints — MattermostCWE-400 4.3 Medium2023-11-27
CVE-2023-35075 HTML injection via channel autocomplete — MattermostCWE-74 3.1 Low2023-11-27
CVE-2023-40703 Denial of Service via specially crafted block fields in Mattermost Boards — MattermostCWE-400 4.3 Medium2023-11-27
CVE-2023-48268 Denial of Service via Board Import Zip Bomb — MattermostCWE-400 4.3 Medium2023-11-27
CVE-2023-45223 Users full name disclosure through Mattermost Boards with Show Full Name Option disabled — MattermostCWE-200 4.3 Medium2023-11-27
CVE-2023-47865 Username and Icon override can be used by members when Hardened Mode is enabled — MattermostCWE-284 4.3 Medium2023-11-27
CVE-2023-5969 Denial of Service via Link Preview in /api/v4/redirect_location — MattermostCWE-400 5.3 Medium2023-11-06
CVE-2023-5968 Password hash in response body after username update — MattermostCWE-200 4.9 Medium2023-11-06

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.