Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-25783 Denial of service via malformed User-Agent header in getBrowserVersion — MattermostCWE-1287 4.3 Medium2026-03-16
CVE-2026-24458 DoS attack via login attempts with multi-megabyte passwords — MattermostCWE-770 7.5 High2026-03-16
CVE-2026-2462 Admin RCE via Malicious Plugin Upload on CI Test Instances — MattermostCWE-863 6.6 Medium2026-03-16
CVE-2026-2578 Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts — MattermostCWE-201 4.3 Medium2026-03-16
CVE-2026-26246 Memory Exhaustion via Malformed PSD File Upload — MattermostCWE-789 4.3 Medium2026-03-16
CVE-2026-2458 Unauthorized channel enumeration in private teams after member removal — MattermostCWE-862 4.3 Medium2026-03-16
CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation — MattermostCWE-346 4.3 Medium2026-03-16
CVE-2026-2461 Missing authorization check allows unauthorized modification of other users' comments on a board — MattermostCWE-639 4.3 Medium2026-03-16
CVE-2026-2463 Unauthorized access to invite ID during team creation — MattermostCWE-862 4.3 Medium2026-03-16
CVE-2026-2476 MS Teams plugin sensitive config values not properly masked in support packets — MattermostCWE-200 7.6 High2026-03-16
CVE-2026-2456 Denial of Service via Unbounded Memory Allocation in Integration Actions — MattermostCWE-789 5.3 Medium2026-03-16
CVE-2026-1628 Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites. — MattermostCWE-829 4.6 Medium2026-03-02
CVE-2025-14573 Team Admin Bypass of Invite Permissions via allow_open_invite Field — MattermostCWE-862 3.8 Low2026-02-16
CVE-2026-1046 Arbitrary application execution via unvalidated server-controlled URLs in Help menu — MattermostCWE-939 7.6 High2026-02-16
CVE-2025-14350 Information disclosure via channel mentions in posts — MattermostCWE-862 4.3 Medium2026-02-16
CVE-2025-13821 User profile update exposes password hash and MFA secrets — MattermostCWE-200 5.7 Medium2026-02-16
CVE-2026-0997 Mattermost Zoom Plugin channel preference API lacks authorization checks — MattermostCWE-863 4.3 Medium2026-02-16
CVE-2026-0998 Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls — MattermostCWE-862 4.3 Medium2026-02-16
CVE-2026-0999 Authentication bypass via userID login when email and username login are disabled — MattermostCWE-303 5.4 Medium2026-02-16
CVE-2026-20796 Time-of-check time-of-use vulnerability in common teams API — MattermostCWE-367 3.1 Low2026-02-13
CVE-2026-22892 Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments — MattermostCWE-863 4.3 Medium2026-02-13
CVE-2025-13523 Cross-Site Scripting (XSS) via Unescaped Display Names in Mattermost Confluence Plugin OAuth2 Flow — Mattermost Confluence PluginCWE-79 7.7 High2026-02-06
CVE-2025-14435 Application-Level DoS via infinite re-render loop in user profile handling — MattermostCWE-770 6.8 Medium2026-01-16
CVE-2025-14822 DoS from quadratic complexity in model.ParseHashtags — MattermostCWE-407 3.1 Low2026-01-16
CVE-2025-64641 Mattermost Jira plugin crafted action leaks Jira issue details — MattermostCWE-863 4.1 Medium2025-12-24
CVE-2025-13767 Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin — MattermostCWE-863 4.3 Medium2025-12-24
CVE-2025-14273 Mattermost Jira plugin user spoofing enables Jira request forgery. — MattermostCWE-303 7.2 High2025-12-22
CVE-2025-13326 Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store — MattermostCWE-693 3.9 Low2025-12-17
CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation — MattermostCWE-863 3.7 Low2025-12-17
CVE-2025-13321 Mattermost Desktop App logging sensitive information and fails to clear data on server deletion — MattermostCWE-532 3.3 Low2025-12-17

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.