CVE-2026-4053
- EPSS 0.17%
- Veröffentlicht 15.05.2026 18:42:47
- Zuletzt bearbeitet 18.05.2026 18:37:37
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has expired via...
CVE-2026-4054
- EPSS 0.24%
- Veröffentlicht 15.05.2026 18:32:44
- Zuletzt bearbeitet 18.05.2026 18:36:00
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under ...
CVE-2026-3590
- EPSS 0.15%
- Veröffentlicht 15.04.2026 11:00:14
- Zuletzt bearbeitet 22.04.2026 19:41:52
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to enforce atomic single-use consumption of guest magic link tokens, which allows an attacker with access to a valid magic link to establish multiple i...
CVE-2026-28741
- EPSS 0.13%
- Veröffentlicht 15.04.2026 10:13:33
- Zuletzt bearbeitet 22.04.2026 19:42:25
Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a...
CVE-2026-27769
- EPSS 0.17%
- Veröffentlicht 15.04.2026 10:11:07
- Zuletzt bearbeitet 22.04.2026 19:43:52
Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of ...
CVE-2026-21388
- EPSS 0.31%
- Veröffentlicht 09.04.2026 10:09:23
- Zuletzt bearbeitet 25.04.2026 18:02:06
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost A...
CVE-2026-3112
- EPSS 0.42%
- Veröffentlicht 26.03.2026 16:29:54
- Zuletzt bearbeitet 30.03.2026 19:42:39
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON config...
CVE-2026-3109
- EPSS 0.29%
- Veröffentlicht 26.03.2026 16:28:07
- Zuletzt bearbeitet 08.06.2026 12:24:28
Mattermost Plugins versions <=11.4 10.11.11.0 fail to validate webhook request timestamps which allows an attacker to corrupt Zoom meeting state in Mattermost via replayed webhook requests. Mattermost Advisory ID: MMSA-2026-00584
CVE-2026-3115
- EPSS 0.23%
- Veröffentlicht 26.03.2026 16:23:05
- Zuletzt bearbeitet 30.03.2026 19:40:01
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibil...
CVE-2026-3114
- EPSS 0.34%
- Veröffentlicht 26.03.2026 16:21:19
- Zuletzt bearbeitet 30.03.2026 19:40:45
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of ...