Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2025-9076 Mattermost Server exposes sensitive user credentials during shared channel membership synchronization — MattermostCWE-862 6.5 Medium2025-09-15
CVE-2025-6465 Path traversal in image upload with preview overwrite — MattermostCWE-22 4.3 Medium2025-08-21
CVE-2025-8402 Nil pointer dereference in bulk import crashes server — MattermostCWE-1287 4.9 Medium2025-08-21
CVE-2025-47870 Team invite ID leaked to team admin with no member invite privileges — MattermostCWE-306 4.3 Medium2025-08-21
CVE-2025-49222 Mattermost Shared Channel Upload Type Validation Bypass — MattermostCWE-434 6.8 Medium2025-08-21
CVE-2025-8023 Path Traversal in Template Upload Allows Uploading Files Outside Target Directory — MattermostCWE-22 6.8 Medium2025-08-21
CVE-2025-53971 Channel and Team Membership APIs inadvertently allow loss of Member privileges. — MattermostCWE-863 3.8 Low2025-08-21
CVE-2025-47700 AI plugin APIs can be triggered using post actions — MattermostCWE-918 3.5 Low2025-08-21
CVE-2025-49810 Thread summarization allows persistent access to channel — MattermostCWE-863 3.5 Low2025-08-21
CVE-2025-36530 Import Path Traversal Enables Unauthorized Unsigned Plugin Installation — MattermostCWE-22 6.8 Medium2025-08-21
CVE-2025-8285 Unauthorized Channel Subscription Creation in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 4.0 Medium2025-08-11
CVE-2025-54525 Unexpected input to Create Channel Subscription endpoint causes DoS in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-1287 7.5 High2025-08-11
CVE-2025-54478 Unauthenticated Channel Subscription Edit in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-306 7.2 High2025-08-11
CVE-2025-54458 Unauthorized Subscription Creation to Confluence Space in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 5.0 Medium2025-08-11
CVE-2025-54463 Unexpected Input to Cloud Webhook endpoint Causes DoS in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-754 5.9 Medium2025-08-11
CVE-2025-53910 Unauthorized Channel Subscription Edit in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 4.0 Medium2025-08-11
CVE-2025-53514 Unexpected Input to Server Webhook endpoint Causes DoS in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-754 5.9 Medium2025-08-11
CVE-2025-53857 Lack of Authorization on Get Channel Subscriptions for Autocomplete in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 3.7 Low2025-08-11
CVE-2025-52931 Unexpected input to Update Channel Subscription endpoint causes DoS in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-754 7.5 High2025-08-11
CVE-2025-49221 Unauthenticated Access to Channel Subscription in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 3.7 Low2025-08-11
CVE-2025-48731 Unauthorized Subscription Edit to Confluence Space in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 6.4 Medium2025-08-11
CVE-2025-44004 Unauthenticated Channel Subscription Creation in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-306 7.2 High2025-08-11
CVE-2025-44001 Unauthorized Channel Subscription Read in Mattermost Confluence Plugin — Mattermost Confluence PluginCWE-862 4.0 Medium2025-08-11
CVE-2025-6227 Invite token is used as part of the secure communication — MattermostCWE-522 2.2 Low2025-07-18
CVE-2025-6233 Arbitrary file read by system admin via path traversal — MattermostCWE-22 6.8 Medium2025-07-18
CVE-2025-6226 IDOR in CreatePost API allows for timeboxed message disclosure — MattermostCWE-306 6.5 Medium2025-07-18
CVE-2025-47871 Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API — MattermostCWE-863 4.3 Medium2025-06-30
CVE-2025-46702 Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management — MattermostCWE-863 5.4 Medium2025-06-30
CVE-2025-3227 Unauthorized channel member management through playbook runs — MattermostCWE-863 4.3 Medium2025-06-20
CVE-2025-3228 Unauthorized Guest user access to Playbook — MattermostCWE-863 4.3 Medium2025-06-20

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.