Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2025-25274 Unauthorized Command Execution in Archived Channels — MattermostCWE-863 4.3 Medium2025-03-21
CVE-2025-27933 Unauthorized Private-to-Public Channel Conversion — MattermostCWE-863 5.4 Medium2025-03-21
CVE-2025-27715 Auto-Enrollment of Team Admins into Private Channels without explicit consent — MattermostCWE-863 3.3 Low2025-03-21
CVE-2025-1472 Unauthorized View Access to Site Statistics and Team Statistics — MattermostCWE-863 4.3 Medium2025-03-19
CVE-2025-1398 macOS TCC Bypass via Code Injection — MattermostCWE-426 3.3 Low2025-03-17
CVE-2025-20051 Arbitrary file read via block duplication in Mattermost Boards — MattermostCWE-22 9.9 Critical2025-02-24
CVE-2025-24490 SQL Injection in Mattermost Boards via board category ID reordering — MattermostCWE-89 9.6 Critical2025-02-24
CVE-2025-25279 Arbitrary file read in Mattermost Boards via import & export board archive — MattermostCWE-22 9.9 Critical2025-02-24
CVE-2025-1412 Session Persistence After User-to-Bot Conversion — MattermostCWE-384 3.1 Low2025-02-24
CVE-2025-24526 Channel export permitted on archived channel when viewing archived channels is disabled — MattermostCWE-863 4.3 Medium2025-02-24
CVE-2025-0503 Leaked User IDs and Metadata of Deleted DMs — MattermostCWE-754 3.1 Low2025-02-14
CVE-2025-20630 Mobile crash via object that can't be cast to String in Attachment Field — MattermostCWE-1287 6.5 Medium2025-01-16
CVE-2025-20621 Webapp crash via object that can't be cast to String in Attachment Field — MattermostCWE-1287 6.5 Medium2025-01-16
CVE-2025-20072 Mobile crash via improper validation of proto style in attachments — MattermostCWE-704 6.5 Medium2025-01-16
CVE-2025-0476 Mobile crash via file with specially crafted filename — MattermostCWE-1287 4.3 Medium2025-01-15
CVE-2025-20088 Insufficient Input Validation on Post Props — MattermostCWE-1287 6.5 Medium2025-01-15
CVE-2025-20086 Insufficient Input Validation on Post Props — MattermostCWE-1287 6.5 Medium2025-01-15
CVE-2025-20036 Insufficient Input Validation on Post Props — MattermostCWE-1287 6.5 Medium2025-01-15
CVE-2025-21083 Insufficient Input Validation on Post Props — MattermostCWE-1287 6.5 Medium2025-01-15
CVE-2025-21088 WebApp crash via improper validation of proto style in attachments — MattermostCWE-704 6.5 Medium2025-01-15
CVE-2025-22445 Misleading UI for undefined admin console settings in Calls causes security confusion — MattermostCWE-754 3.5 Low2025-01-09
CVE-2025-20033 DoS via custom post type for sysconsole plugin readers — MattermostCWE-1287 4.3 Medium2025-01-09
CVE-2025-22449 Access control flaw for team admins allows unauthorized team additions — MattermostCWE-863 3.8 Low2025-01-09
CVE-2024-11358 Insecure Android File Provider Paths — MattermostCWE-284 5.7 Medium2024-12-16
CVE-2024-54682 Zipbomb DoS via Missing Slack Import Validation — MattermostCWE-409 6.5 Medium2024-12-16
CVE-2024-54083 DoS via lack of type validation in Calls — MattermostCWE-1287 6.5 Medium2024-12-16
CVE-2024-48872 Bypass of "Max failed attempts" restriction via race condition — MattermostCWE-362 4.8 Medium2024-12-16
CVE-2024-12247 Improper propagation of permission scheme updates across cluster nodes — MattermostCWE-863 4.6 Medium2024-12-05
CVE-2024-11599 Domain Restriction Bypass on Registration — MattermostCWE-754 8.2 High2024-11-28
CVE-2024-52032 Private channel names leaking when Elasticsearch is enabled — MattermostCWE-200 4.3 Medium2024-11-09

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.