CVE-2026-3116
- EPSS 0.34%
- Veröffentlicht 26.03.2026 16:19:32
- Zuletzt bearbeitet 08.06.2026 12:20:59
Mattermost Plugins versions <=11.4 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to validate incoming request size which allows an authenticated attacker to cause service disruption via the webhook endpoint. Mattermost Advisory ID: MMSA-2026-00589
CVE-2026-3113
- EPSS 0.13%
- Veröffentlicht 26.03.2026 16:18:06
- Zuletzt bearbeitet 30.03.2026 19:41:30
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost A...
CVE-2026-3108
- EPSS 0.27%
- Veröffentlicht 26.03.2026 16:16:49
- Zuletzt bearbeitet 30.03.2026 19:45:27
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted...
CVE-2026-4274
- EPSS 0.14%
- Veröffentlicht 26.03.2026 10:43:24
- Zuletzt bearbeitet 26.03.2026 18:48:39
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to ...
CVE-2026-27659
- EPSS 0.12%
- Veröffentlicht 25.03.2026 16:33:32
- Zuletzt bearbeitet 26.03.2026 18:49:34
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to properly validate CSRF tokens in the /api/v4/access_control_policies/{policy_id}/activate endpoint, which allows an attacker to trick an admin into ...
CVE-2026-20719
- EPSS 0.35%
- Veröffentlicht 25.03.2026 16:30:47
- Zuletzt bearbeitet 26.03.2026 18:54:18
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an ...
CVE-2026-27656
- EPSS 0.18%
- Veröffentlicht 25.03.2026 16:28:29
- Zuletzt bearbeitet 26.03.2026 18:51:38
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via a...
CVE-2026-26233
- EPSS 0.31%
- Veröffentlicht 25.03.2026 16:24:47
- Zuletzt bearbeitet 26.03.2026 18:52:31
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single pack...
CVE-2026-1629
- EPSS 0.2%
- Veröffentlicht 16.03.2026 20:24:05
- Zuletzt bearbeitet 18.03.2026 13:56:22
Mattermost versions 10.11.x <= 10.11.10 Fail to invalidate cached permalink preview data when a user loses channel access which allows the user to continue viewing private channel content via previously cached permalink previews until cache reset or ...
CVE-2026-26230
- EPSS 0.16%
- Veröffentlicht 16.03.2026 20:19:51
- Zuletzt bearbeitet 18.03.2026 13:56:13
Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531