Mattermost

Mattermost Server

422 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.1%
  • Veröffentlicht 26.06.2026 14:44:58
  • Zuletzt bearbeitet 29.06.2026 19:26:34

Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in st...

  • EPSS 0.19%
  • Veröffentlicht 26.06.2026 14:42:24
  • Zuletzt bearbeitet 29.06.2026 19:27:20

Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled ...

  • EPSS 0.23%
  • Veröffentlicht 22.06.2026 13:41:28
  • Zuletzt bearbeitet 26.06.2026 16:39:58

Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisor...

  • EPSS 0.15%
  • Veröffentlicht 22.06.2026 13:40:07
  • Zuletzt bearbeitet 23.06.2026 20:50:26

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from cha...

  • EPSS 0.18%
  • Veröffentlicht 22.06.2026 13:38:56
  • Zuletzt bearbeitet 23.06.2026 20:49:21

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira i...

  • EPSS 0.19%
  • Veröffentlicht 22.06.2026 13:37:44
  • Zuletzt bearbeitet 23.06.2026 20:48:34

Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot ac...

  • EPSS 0.2%
  • Veröffentlicht 22.06.2026 13:36:43
  • Zuletzt bearbeitet 23.06.2026 20:47:36

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSo...

  • EPSS 0.17%
  • Veröffentlicht 22.06.2026 13:34:21
  • Zuletzt bearbeitet 23.06.2026 20:50:51

Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticate...

  • EPSS 0.28%
  • Veröffentlicht 25.05.2026 07:10:23
  • Zuletzt bearbeitet 01.06.2026 17:57:36

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (se...

  • EPSS 0.25%
  • Veröffentlicht 21.05.2026 08:12:11
  • Zuletzt bearbeitet 21.05.2026 19:43:31

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth tok...