Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 352

All 352 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2026-3590 Race Condition in Guest Magic Link Authentication Allows Token Reuse CWE-367 6.5 Medium2026-04-15
CVE-2026-28741 CSRF Protection Bypass Allows Updating a User's Authentication Method CWE-352 6.8 Medium2026-04-15
CVE-2026-27769 Connected Workspaces: Malicious remote server can manipulate arbitrary user's status CWE-862 2.7 Low2026-04-15
CVE-2026-24661 Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint CWE-770 3.7 Low2026-04-09
CVE-2026-21388 Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint CWE-770 3.7 Low2026-04-09
CVE-2026-3524 Authorization Bypass in Mattermost Legal Hold Plugin Due to Missing Return After Permission Check CWE-862 8.3 High2026-04-06
CVE-2026-3112 Arbitrary File Read via Advanced Logging Support Packet CWE-22 6.8 Medium2026-03-26
CVE-2026-3109 Missing timestamp validation in Zoom webhook handler CWE-754 2.2 Low2026-03-26
CVE-2026-3115 Guest users can view group member IDs without respecting view restrictions CWE-863 4.3 Medium2026-03-26
CVE-2026-3114 Zip Bomb Denial of Service via Unrestricted Archive Decompression CWE-409 6.5 Medium2026-03-26
CVE-2026-3116 Improper Input Validation in Zoom Plugin Webhook Handler CWE-400 4.9 Medium2026-03-26
CVE-2026-3113 mmctl export download command doesn’t restrict permissions to created file to file owner CWE-732 5.0 Medium2026-03-26
CVE-2026-3108 Terminal Escape Injection in mmctl Report Posts Command CWE-150 8.0 High2026-03-26
CVE-2026-4274 Insufficient authorization in shared channel membership sync grants team-level access instead of channel-level access CWE-863 5.4 Medium2026-03-26
CVE-2026-27659 CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint CWE-352 4.6 Medium2026-03-25
CVE-2026-20719 DoS via URL Previews Rendering Malicious SVGs CWE-754 4.3 Medium2026-03-25
CVE-2026-27656 Account Takeover via Substring Matching in OpenID Connect Authentication CWE-303 5.7 Medium2026-03-25
CVE-2026-26233 Denial of Service via HTTP/2 single packet attack on login endpoint CWE-400 4.3 Medium2026-03-25
CVE-2026-1629 Permalink Preview Information Disclosure After Permission Revocation CWE-672 4.3 Medium2026-03-16
CVE-2026-26230 Team Admin Privilege Escalation to Demote Members to Guest CWE-863 3.8 Low2026-03-16
CVE-2026-2454 DoS in Calls plugin via malformed msgpack in websocket request. CWE-1287 5.8 Medium2026-03-16
CVE-2026-26304 Permission Bypass in Playbook Run Creation CWE-863 4.3 Medium2026-03-16
CVE-2026-24692 Guest users can bypass read permissions via search API CWE-863 4.3 Medium2026-03-16
CVE-2026-22545 Password Change Bypass via Auth Switch Endpoint CWE-863 3.1 Low2026-03-16
CVE-2026-2455 SSRF bypass via IPv4-mapped IPv6 literals CWE-918 4.3 Medium2026-03-16
CVE-2026-21386 Private channel enumeration via /mute slash command CWE-203 4.3 Medium2026-03-16
CVE-2026-25780 Memory Exhaustion via Malformed DOC File Upload CWE-789 4.3 Medium2026-03-16
CVE-2026-4265 Guest user can upload files without permission across teams CWE-863 4.3 Medium2026-03-16
CVE-2026-25783 Denial of service via malformed User-Agent header in getBrowserVersion CWE-1287 4.3 Medium2026-03-16
CVE-2026-24458 DoS attack via login attempts with multi-megabyte passwords CWE-770 7.5 High2026-03-16

All 352 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.