Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 352

All 352 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2026-2462 Admin RCE via Malicious Plugin Upload on CI Test Instances CWE-863 6.6 Medium2026-03-16
CVE-2026-2578 Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts CWE-201 4.3 Medium2026-03-16
CVE-2026-26246 Memory Exhaustion via Malformed PSD File Upload CWE-789 4.3 Medium2026-03-16
CVE-2026-2458 Unauthorized channel enumeration in private teams after member removal CWE-862 4.3 Medium2026-03-16
CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation CWE-346 4.3 Medium2026-03-16
CVE-2026-2461 Missing authorization check allows unauthorized modification of other users' comments on a board CWE-639 4.3 Medium2026-03-16
CVE-2026-2463 Unauthorized access to invite ID during team creation CWE-862 4.3 Medium2026-03-16
CVE-2026-2476 MS Teams plugin sensitive config values not properly masked in support packets CWE-200 7.6 High2026-03-16
CVE-2026-2456 Denial of Service via Unbounded Memory Allocation in Integration Actions CWE-789 5.3 Medium2026-03-16
CVE-2026-1628 Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites. CWE-829 4.6 Medium2026-03-02
CVE-2025-14573 Team Admin Bypass of Invite Permissions via allow_open_invite Field CWE-862 3.8 Low2026-02-16
CVE-2026-1046 Arbitrary application execution via unvalidated server-controlled URLs in Help menu CWE-939 7.6 High2026-02-16
CVE-2025-14350 Information disclosure via channel mentions in posts CWE-862 4.3 Medium2026-02-16
CVE-2025-13821 User profile update exposes password hash and MFA secrets CWE-200 5.7 Medium2026-02-16
CVE-2026-0997 Mattermost Zoom Plugin channel preference API lacks authorization checks CWE-863 4.3 Medium2026-02-16
CVE-2026-0998 Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls CWE-862 4.3 Medium2026-02-16
CVE-2026-0999 Authentication bypass via userID login when email and username login are disabled CWE-303 5.4 Medium2026-02-16
CVE-2026-20796 Time-of-check time-of-use vulnerability in common teams API CWE-367 3.1 Low2026-02-13
CVE-2026-22892 Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments CWE-863 4.3 Medium2026-02-13
CVE-2025-14435 Application-Level DoS via infinite re-render loop in user profile handling CWE-770 6.8 Medium2026-01-16
CVE-2025-14822 DoS from quadratic complexity in model.ParseHashtags CWE-407 3.1 Low2026-01-16
CVE-2025-64641 Mattermost Jira plugin crafted action leaks Jira issue details CWE-863 4.1 Medium2025-12-24
CVE-2025-13767 Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin CWE-863 4.3 Medium2025-12-24
CVE-2025-14273 Mattermost Jira plugin user spoofing enables Jira request forgery. CWE-303 7.2 High2025-12-22
CVE-2025-13326 Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store CWE-693 3.9 Low2025-12-17
CVE-2025-13321 Mattermost Desktop App logging sensitive information and fails to clear data on server deletion CWE-532 3.3 Low2025-12-17
CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation CWE-863 3.7 Low2025-12-17
CVE-2025-12689 DoS in Calls plugin via malformed UTF-8 in WebSocket request CWE-1287 6.5 Medium2025-12-17
CVE-2025-62690 Open redirect in error page when link opened in new tab CWE-601 3.1 Low2025-12-17
CVE-2025-13352 Mattermost GitHub Plugin allows unauthorized GitHub reactions via reaction forwarding hijacking CWE-1287 3.0 Low2025-12-17

All 352 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.