Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Mattermost — Vulnerabilities & Security Advisories 382

Browse all 382 CVE security advisories affecting Mattermost. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Mattermost:MattermostMattermost Confluence PluginMattermost DesktopMattermost BoardsMattermost PlaybooksMattermost App FrameworkFocalboardPlaybooks PluginMattermost Github PluginMattermost iOS appMattermost PluginsMattermost Mobile
CVE IDTitleCVSSSeverityPublished
CVE-2026-25783 Denial of service via malformed User-Agent header in getBrowserVersion — MattermostCWE-1287 4.3 Medium2026-03-16
CVE-2026-24458 DoS attack via login attempts with multi-megabyte passwords — MattermostCWE-770 7.5 High2026-03-16
CVE-2026-2462 Admin RCE via Malicious Plugin Upload on CI Test Instances — MattermostCWE-863 6.6 Medium2026-03-16
CVE-2026-2578 Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts — MattermostCWE-201 4.3 Medium2026-03-16
CVE-2026-26246 Memory Exhaustion via Malformed PSD File Upload — MattermostCWE-789 4.3 Medium2026-03-16
CVE-2026-2458 Unauthorized channel enumeration in private teams after member removal — MattermostCWE-862 4.3 Medium2026-03-16
CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation — MattermostCWE-346 4.3 Medium2026-03-16
CVE-2026-2461 Missing authorization check allows unauthorized modification of other users' comments on a board — MattermostCWE-639 4.3 Medium2026-03-16
CVE-2026-2463 Unauthorized access to invite ID during team creation — MattermostCWE-862 4.3 Medium2026-03-16
CVE-2026-2476 MS Teams plugin sensitive config values not properly masked in support packets — MattermostCWE-200 7.6 High2026-03-16
CVE-2026-2456 Denial of Service via Unbounded Memory Allocation in Integration Actions — MattermostCWE-789 5.3 Medium2026-03-16
CVE-2026-1628 Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites. — MattermostCWE-829 4.6 Medium2026-03-02
CVE-2025-14573 Team Admin Bypass of Invite Permissions via allow_open_invite Field — MattermostCWE-862 3.8 Low2026-02-16
CVE-2026-1046 Arbitrary application execution via unvalidated server-controlled URLs in Help menu — MattermostCWE-939 7.6 High2026-02-16
CVE-2025-14350 Information disclosure via channel mentions in posts — MattermostCWE-862 4.3 Medium2026-02-16
CVE-2025-13821 User profile update exposes password hash and MFA secrets — MattermostCWE-200 5.7 Medium2026-02-16
CVE-2026-0997 Mattermost Zoom Plugin channel preference API lacks authorization checks — MattermostCWE-863 4.3 Medium2026-02-16
CVE-2026-0998 Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls — MattermostCWE-862 4.3 Medium2026-02-16
CVE-2026-0999 Authentication bypass via userID login when email and username login are disabled — MattermostCWE-303 5.4 Medium2026-02-16
CVE-2026-20796 Time-of-check time-of-use vulnerability in common teams API — MattermostCWE-367 3.1 Low2026-02-13
CVE-2026-22892 Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments — MattermostCWE-863 4.3 Medium2026-02-13
CVE-2025-13523 Cross-Site Scripting (XSS) via Unescaped Display Names in Mattermost Confluence Plugin OAuth2 Flow — Mattermost Confluence PluginCWE-79 7.7 High2026-02-06
CVE-2025-14435 Application-Level DoS via infinite re-render loop in user profile handling — MattermostCWE-770 6.8 Medium2026-01-16
CVE-2025-14822 DoS from quadratic complexity in model.ParseHashtags — MattermostCWE-407 3.1 Low2026-01-16
CVE-2025-64641 Mattermost Jira plugin crafted action leaks Jira issue details — MattermostCWE-863 4.1 Medium2025-12-24
CVE-2025-13767 Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin — MattermostCWE-863 4.3 Medium2025-12-24
CVE-2025-14273 Mattermost Jira plugin user spoofing enables Jira request forgery. — MattermostCWE-303 7.2 High2025-12-22
CVE-2025-13326 Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store — MattermostCWE-693 3.9 Low2025-12-17
CVE-2025-13324 Lack of Invalidation of Legacy Remote Cluster Invite Tokens After Confirmation — MattermostCWE-863 3.7 Low2025-12-17
CVE-2025-13321 Mattermost Desktop App logging sensitive information and fails to clear data on server deletion — MattermostCWE-532 3.3 Low2025-12-17

This page lists every published CVE security advisory associated with Mattermost. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.