| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-3590 | Race Condition in Guest Magic Link Authentication Allows Token Reuse | Mattermost | Mattermost | Medium | 6.5 | 2026-04-15 11:00:15 | Deep Dive |
| CVE-2026-28741 | CSRF Protection Bypass Allows Updating a User's Authentication Method | Mattermost | Mattermost | Medium | 6.8 | 2026-04-15 10:13:34 | Deep Dive |
| CVE-2026-27769 | Connected Workspaces: Malicious remote server can manipulate arbitrary user's status | Mattermost | Mattermost | Low | 2.7 | 2026-04-15 10:11:08 | Deep Dive |
| CVE-2026-24661 | Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint | Mattermost | Mattermost | Low | 3.7 | 2026-04-09 10:12:45 | Deep Dive |
| CVE-2026-21388 | Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint | Mattermost | Mattermost | Low | 3.7 | 2026-04-09 10:09:24 | Deep Dive |
| CVE-2026-3524 | Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check | Mattermost | Mattermost | High | 8.8 | 2026-04-06 12:06:22 | Deep Dive |
| CVE-2026-28736 | Focalboard IDOR in file content endpoint allows cross-user file access (unsupported product, no fix) | Mattermost | Focalboard | Medium | 4.3 | 2026-04-03 13:25:53 | Deep Dive |
| CVE-2026-25773 | Focalboard Second-Order SQL Injection in category reorder endpoint allows data exfiltration (unsupported product, no fix) | Mattermost | Focalboard | High | 8.1 | 2026-04-03 13:24:29 | Deep Dive |
| CVE-2026-3112 | Arbitrary File Read via Advanced Logging Support Packet | Mattermost | Mattermost | Medium | 6.8 | 2026-03-26 16:29:54 | Deep Dive |
| CVE-2026-3109 | Missing timestamp validation in Zoom webhook handler | Mattermost | Mattermost | Low | 2.2 | 2026-03-26 16:28:07 | Deep Dive |
| CVE-2026-3115 | Guest users can view group member IDs without respecting view restrictions | Mattermost | Mattermost | Medium | 4.3 | 2026-03-26 16:23:06 | Deep Dive |
| CVE-2026-3114 | Zip Bomb Denial of Service via Unrestricted Archive Decompression | Mattermost | Mattermost | Medium | 6.5 | 2026-03-26 16:21:19 | Deep Dive |
| CVE-2026-3116 | Improper Input Validation in Zoom Plugin Webhook Handler | Mattermost | Mattermost | Medium | 4.9 | 2026-03-26 16:19:33 | Deep Dive |
| CVE-2026-3113 | mmctl export download command doesn’t restrict permissions to created file to file owner | Mattermost | Mattermost | Medium | 5.0 | 2026-03-26 16:18:07 | Deep Dive |
| CVE-2026-3108 | Terminal Escape Injection in mmctl Report Posts Command | Mattermost | Mattermost | High | 8.0 | 2026-03-26 16:16:50 | Deep Dive |
| CVE-2026-4274 | Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access | Mattermost | Mattermost | Medium | 5.4 | 2026-03-26 10:43:25 | Deep Dive |
| CVE-2026-27659 | CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint | Mattermost | Mattermost | Medium | 4.6 | 2026-03-25 16:33:33 | Deep Dive |
| CVE-2026-20719 | DoS via URL Previews Rendering Malicious SVGs | Mattermost | Mattermost | Medium | 4.3 | 2026-03-25 16:30:47 | Deep Dive |
| CVE-2026-27656 | Account Takeover via Substring Matching in OpenID Connect Authentication | Mattermost | Mattermost | Medium | 5.7 | 2026-03-25 16:28:30 | Deep Dive |
| CVE-2026-26233 | Denial of Service via HTTP/2 single packet attack on login endpoint | Mattermost | Mattermost | Medium | 4.3 | 2026-03-25 16:24:48 | Deep Dive |