Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2023-5160 Full name disclosure via team top membership with Show Full Name option disabled — MattermostCWE-200 4.3 Medium2023-10-02
CVE-2023-5194 A system/user manager can demote / deactivate another manager — MattermostCWE-863 2.7 Low2023-09-29
CVE-2023-5195 A team member can soft delete other teams that they are not part of — MattermostCWE-863 6.5 Medium2023-09-29
CVE-2023-5193 System Role with manage posts permission can read posts of Direct Messages — MattermostCWE-863 4.9 Medium2023-09-29
CVE-2023-5196 DoS via Channel Notification Properties — MattermostCWE-400 6.5 Medium2023-09-29
CVE-2023-5159 A User Manager role with user edit permissions could manage/update bots — MattermostCWE-863 3.8 Low2023-09-29
CVE-2023-4478 Parameter tampering in the registration resulting in blocked accounts to be created — MattermostCWE-74 4.3 Medium2023-08-25
CVE-2023-4108 Audit logging fails to sanitize post metadata — MattermostCWE-532 4.5 Medium2023-08-11
CVE-2023-4107 Incorrect authorization allows a user manager to update a system admin — MattermostCWE-863 6.7 Medium2023-08-11
CVE-2023-4106 A guest user can perform various actions on public playbooks — MattermostCWE-862 6.3 Medium2023-08-11
CVE-2023-4105 Attachment of deleted message in a thread remains accessible and downloadable — MattermostCWE-862 3.1 Low2023-08-11
CVE-2023-3593 Server crash via a specially crafted markdown input — MattermostCWE-400 4.3 Medium2023-07-17
CVE-2023-3615 Lack of server certificate validation in websockets connection — Mattermost iOS appCWE-295 8.1 High2023-07-17
CVE-2023-3614 Denial of Service via specially crafted gif image — MattermostCWE-400 4.3 Medium2023-07-17
CVE-2023-3613 Guest accounts invited and added to channels by Welcomebot plugin — Mattermost PluginsCWE-863 3.5 Low2023-07-17
CVE-2023-3591 Lack of previous password reset tokens on new token creation — MattermostCWE-287 4.8 Medium2023-07-17
CVE-2023-3590 Deleted attachments in Boards remain accessible — MattermostCWE-863 3.1 Low2023-07-17
CVE-2023-3587 Inconsistent state in UI after boards permission change by system admin — MattermostCWE-862 2.7 Low2023-07-17
CVE-2023-3586 Disabling publicly-shared boards does not disable existing publicly available board links — MattermostCWE-863 4.2 Medium2023-07-17
CVE-2023-3585 channel DoS by sharing a boards link — MattermostCWE-400 4.3 Medium2023-07-17
CVE-2023-3584 Member can create team with team override scheme — MattermostCWE-863 3.1 Low2023-07-17
CVE-2023-3582 Lack of channel membership check when linking a board to a channel — MattermostCWE-863 4.3 Medium2023-07-17
CVE-2023-3581 WebSockets accept connections from HTTPS origin — MattermostCWE-346 6.2 Medium2023-07-17
CVE-2023-3577 Limited blind SSRF to localhost/intranet in interactive dialog implementation — MattermostCWE-918 3.5 Low2023-07-17
CVE-2023-2785 Specially crafted search query can cause large log entries in postgres — MattermostCWE-400 4.3 Medium2023-06-16
CVE-2023-2831 Denial of Service while unescaping a Markdown string — MattermostCWE-400 4.3 Medium2023-06-16
CVE-2023-2797 Path traversal in GitHub plugin's code preview feature — Mattermost Github PluginCWE-74 3.1 Low2023-06-16
CVE-2023-2793 Stack exhaustion in PreparePostForClientWithEmbedsAndImages — MattermostCWE-400 6.5 Medium2023-06-16
CVE-2023-2792 Ephemeral messages return private channel contents in permalink previews — MattermostCWE-200 6.5 Medium2023-06-16
CVE-2023-2791 Playbooks lets you edit arbitrary posts — MattermostCWE-862 4.3 Medium2023-06-16

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.