Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 352

All 352 CVE vulnerabilities found in Mattermost, with AI-generated Chinese analysis, references, and POCs.

Vendor: Mattermost

CVE IDTitleCVSSSeverityPublished
CVE-2025-47870 Team invite ID leaked to team admin with no member invite privileges CWE-306 4.3 Medium2025-08-21
CVE-2025-49222 Mattermost Shared Channel Upload Type Validation Bypass CWE-434 6.8 Medium2025-08-21
CVE-2025-8023 Path Traversal in Template Upload Allows Uploading Files Outside Target Directory CWE-22 6.8 Medium2025-08-21
CVE-2025-53971 Channel and Team Membership APIs inadvertently allow loss of Member privileges. CWE-863 3.8 Low2025-08-21
CVE-2025-47700 AI plugin APIs can be triggered using post actions CWE-918 3.5 Low2025-08-21
CVE-2025-49810 Thread summarization allows persistent access to channel CWE-863 3.5 Low2025-08-21
CVE-2025-36530 Import Path Traversal Enables Unauthorized Unsigned Plugin Installation CWE-22 6.8 Medium2025-08-21
CVE-2025-6227 Invite token is used as part of the secure communication CWE-522 2.2 Low2025-07-18
CVE-2025-6233 Arbitrary file read by system admin via path traversal CWE-22 6.8 Medium2025-07-18
CVE-2025-6226 IDOR in CreatePost API allows for timeboxed message disclosure CWE-306 6.5 Medium2025-07-18
CVE-2025-47871 Mattermost Playbooks exposes private channel metadata to unauthorized users via run metadata API CWE-863 4.3 Medium2025-06-30
CVE-2025-46702 Mattermost Playbooks allows privilege escalation through improper access control in playbook run participant management CWE-863 5.4 Medium2025-06-30
CVE-2025-3227 Unauthorized channel member management through playbook runs CWE-863 4.3 Medium2025-06-20
CVE-2025-3228 Unauthorized Guest user access to Playbook CWE-863 4.3 Medium2025-06-20
CVE-2025-4981 Path Traversal Leading to RCE by Any Authenticated Mattermost User CWE-427 9.9 Critical2025-06-20
CVE-2025-4128 Mattermost Guest User Information Disclosure Vulnerability CWE-863 3.1 Low2025-06-11
CVE-2025-4573 LDAP Injection in Mattermost Enterprise Edition When Using Active Directory CWE-90 4.1 Medium2025-06-11
CVE-2025-3611 Improper Access Control in Mattermost allows System Managers to view team details despite role restrictions CWE-863 3.1 Low2025-05-30
CVE-2025-3230 Bypass of System Admin User Deactivation Controls for Personal Access Tokens in Mattermost Server CWE-303 5.4 Medium2025-05-30
CVE-2025-2571 Google OAuth Authentication Bypass for Converted Bot Accounts CWE-303 4.2 Medium2025-05-30
CVE-2025-1792 Improper Access Control in Mattermost Channel Member API CWE-863 3.1 Low2025-05-30
CVE-2025-3913 Team Privacy Settings Authorization Bypass in Mattermost Server CWE-863 5.3 Medium2025-05-29
CVE-2025-2570 System Admin Cannot Access Environment settings in System Console While System Manager Can CWE-863 2.7 Low2025-05-15
CVE-2025-2527 Improper access control to group information CWE-863 4.3 Medium2025-05-15
CVE-2025-3446 Members Without Guest Invite Permissions Can Add Guests to Teams CWE-863 4.3 Medium2025-05-15
CVE-2025-31947 Repeated LDAP login failures can lock an LDAP account CWE-645 5.8 Medium2025-05-15
CVE-2025-41423 Unauthorized Playbooks Post Deletion in Mattermost Playbooks Plugin CWE-863 3.1 Low2025-04-24
CVE-2025-35965 DoS in Mattermost Playbooks via Excessive Task Actions CWE-770 6.5 Medium2025-04-24
CVE-2025-41395 Webapp DoS via malicious retrospective post in Playbooks CWE-1287 6.5 Medium2025-04-24
CVE-2025-2564 Unauthorized View Access to Archived Channel Member Info CWE-863 4.3 Medium2025-04-16

All 352 known CVE vulnerabilities affecting Mattermost with full Chinese analysis, references, and POCs where available.