Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Mattermost is an open-source, self-hosted messaging platform designed primarily for secure team communication and collaboration within enterprise environments. With 382 recorded Common Vulnerabilities and Exposures (CVEs), the software has historically been susceptible to critical security flaws, including remote code execution, cross-site scripting, and privilege escalation vulnerabilities. These issues often stem from improper input validation or insufficient access controls within its web interface and API layers. While the platform emphasizes data sovereignty through self-hosting, its extensive vulnerability history highlights the risks associated with complex, feature-rich applications. Security incidents have occasionally involved unauthorized data access or service disruption, underscoring the necessity for rigorous patch management and configuration hardening. Organizations deploying this solution must prioritize regular updates and continuous monitoring to mitigate the inherent risks associated with its large attack surface and frequent exposure to newly discovered exploits.

Top products by Mattermost: Mattermost Mattermost Confluence Plugin Mattermost Desktop Mattermost Boards Mattermost Playbooks Mattermost App Framework Focalboard Playbooks Plugin Mattermost Github Plugin Mattermost iOS app Mattermost Plugins Mattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2024-36250 MFA Code Replay — MattermostCWE-303 3.1 Low2024-11-09
CVE-2024-42000 Unauthorized Access to view channels' details — MattermostCWE-863 2.7 Low2024-11-09
CVE-2024-46872 Client-Side Path Traversal Leading to CSRF in Playbooks — MattermostCWE-352 4.6 Medium2024-10-29
CVE-2024-47401 DoS via Amplified GraphQL Response in Playbooks — MattermostCWE-770 4.3 Medium2024-10-29
CVE-2024-50052 Arbitrary post deletion via Playbooks /ignore-thread endpoint — MattermostCWE-862 4.3 Medium2024-10-29
CVE-2024-10241 Private channel names leaked with Ctrl+K when ElasticSearch is enabled — MattermostCWE-284 4.3 Medium2024-10-29
CVE-2024-10214 Incorrect Session Creation with Desktop SSO — MattermostCWE-303 3.5 Low2024-10-28
CVE-2024-9155 Insufficient Authorization On Unlinked Channel Files — MattermostCWE-863 4.3 Medium2024-09-26
CVE-2024-47003 DoS via non-string message using permalink embed — MattermostCWE-400 3.1 Low2024-09-26
CVE-2024-42406 Unauthorized access on archived channels — MattermostCWE-284 5.4 Medium2024-09-26
CVE-2024-45843 Weak SSRF Filtering — MattermostCWE-918 3.1 Low2024-09-26
CVE-2024-47145 Unauthorized access on archived channels via file links — MattermostCWE-284 3.1 Low2024-09-26
CVE-2024-45835 Insufficient Electron Fuses Configuration — MattermostCWE-693 2.5 Low2024-09-16
CVE-2024-39772 Silent Desktop Screenshot Capture — MattermostCWE-284 3.7 Low2024-09-16
CVE-2024-45833 Mobile password gets saved in dictionary under conditions — MattermostCWE-693 4.5 Medium2024-09-16
CVE-2024-39613 RCE in desktop app in Windows by local attacker — MattermostCWE-427 5.3 Medium2024-09-16
CVE-2024-43105 Excessive Resource Consumption via `/export` — MattermostCWE-400 4.3 Medium2024-08-23
CVE-2024-43780 Unauthorized channel file upload — MattermostCWE-284 4.3 Medium2024-08-22
CVE-2024-40884 Unauthorized disabling of invite URL — MattermostCWE-284 2.7 Low2024-08-22
CVE-2024-42497 Insufficient permissions checks on teams — MattermostCWE-284 6.0 Medium2024-08-22
CVE-2024-8071 System Role with edit access to permissions can elevate themselves to system admin — MattermostCWE-284 4.7 Medium2024-08-22
CVE-2024-42411 User creation date manipulation in POST /api/v4/users — MattermostCWE-754 5.3 Medium2024-08-22
CVE-2024-40886 One-click Client-Side Path Traversal Leading to CSRF in User Management admin page — MattermostCWE-352 4.6 Medium2024-08-22
CVE-2024-43813 IDOR when marking read a user's channel — MattermostCWE-284 4.3 Medium2024-08-22
CVE-2024-39810 Server crash via Elasticsearch certificate file — MattermostCWE-400 4.9 Medium2024-08-22
CVE-2024-32939 Email addresses of remote users visible in props regardless of server settings — MattermostCWE-284 4.3 Medium2024-08-22
CVE-2024-39836 Munged email address used for password resets and notifications — MattermostCWE-693 4.8 Medium2024-08-22
CVE-2024-41926 Malicious remote can claim that a user was synced from another remote — MattermostCWE-284 2.7 Low2024-08-01
CVE-2024-41162 Malicious remote can make an arbitrary local channel read-only — MattermostCWE-284 4.1 Medium2024-08-01
CVE-2024-41144 Malicious remote can create/update/delete arbitrary posts in arbitrary channels — MattermostCWE-284 5.5 Medium2024-08-01

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.