CVE-2026-2454
- EPSS 0.27%
- Veröffentlicht 16.03.2026 20:10:16
- Zuletzt bearbeitet 18.03.2026 13:56:03
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket m...
CVE-2026-26304
- EPSS 0.16%
- Veröffentlicht 16.03.2026 19:53:21
- Zuletzt bearbeitet 18.03.2026 13:56:31
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542
CVE-2026-24692
- EPSS 0.17%
- Veröffentlicht 16.03.2026 14:56:45
- Zuletzt bearbeitet 18.03.2026 13:54:50
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API reque...
CVE-2026-22545
- EPSS 0.15%
- Veröffentlicht 16.03.2026 14:54:45
- Zuletzt bearbeitet 18.03.2026 13:54:31
Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different aut...
CVE-2026-2455
- EPSS 0.17%
- Veröffentlicht 16.03.2026 14:53:31
- Zuletzt bearbeitet 18.03.2026 13:55:00
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 ...
CVE-2026-21386
- EPSS 0.18%
- Veröffentlicht 16.03.2026 14:51:43
- Zuletzt bearbeitet 18.03.2026 13:53:15
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know...
CVE-2026-25780
- EPSS 0.27%
- Veröffentlicht 16.03.2026 12:59:13
- Zuletzt bearbeitet 18.03.2026 18:13:33
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a speci...
CVE-2026-4265
- EPSS 0.22%
- Veröffentlicht 16.03.2026 12:07:14
- Zuletzt bearbeitet 18.03.2026 17:41:56
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a tea...
CVE-2026-25783
- EPSS 0.29%
- Veröffentlicht 16.03.2026 12:04:18
- Zuletzt bearbeitet 18.03.2026 18:11:16
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advis...
CVE-2026-24458
- EPSS 0.26%
- Veröffentlicht 16.03.2026 12:02:23
- Zuletzt bearbeitet 18.03.2026 18:14:11
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Matter...