CVE-2026-4339
- EPSS 0.1%
- Veröffentlicht 26.06.2026 14:44:58
- Zuletzt bearbeitet 29.06.2026 19:26:34
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in st...
CVE-2026-3472
- EPSS 0.19%
- Veröffentlicht 26.06.2026 14:42:24
- Zuletzt bearbeitet 29.06.2026 19:27:20
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled ...
CVE-2026-8823
- EPSS 0.23%
- Veröffentlicht 22.06.2026 13:41:28
- Zuletzt bearbeitet 26.06.2026 16:39:58
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisor...
CVE-2026-6062
- EPSS 0.15%
- Veröffentlicht 22.06.2026 13:40:07
- Zuletzt bearbeitet 23.06.2026 20:50:26
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from cha...
CVE-2026-6673
- EPSS 0.18%
- Veröffentlicht 22.06.2026 13:38:56
- Zuletzt bearbeitet 23.06.2026 20:49:21
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira i...
CVE-2026-8074
- EPSS 0.19%
- Veröffentlicht 22.06.2026 13:37:44
- Zuletzt bearbeitet 23.06.2026 20:48:34
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot ac...
CVE-2026-9162
- EPSS 0.2%
- Veröffentlicht 22.06.2026 13:36:43
- Zuletzt bearbeitet 23.06.2026 20:47:36
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSo...
CVE-2026-5139
- EPSS 0.17%
- Veröffentlicht 22.06.2026 13:34:21
- Zuletzt bearbeitet 23.06.2026 20:50:51
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticate...
CVE-2026-4915
- EPSS 0.28%
- Veröffentlicht 25.05.2026 07:10:23
- Zuletzt bearbeitet 01.06.2026 17:57:36
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (se...
CVE-2026-4858
- EPSS 0.25%
- Veröffentlicht 21.05.2026 08:12:11
- Zuletzt bearbeitet 21.05.2026 19:43:31
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth tok...