CVE-2026-2462
- EPSS 0.33%
- Veröffentlicht 16.03.2026 12:00:21
- Zuletzt bearbeitet 18.03.2026 18:31:45
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to restrict plugin installation on CI test instances with default admin credentials which allows an unauthenticated attacker to achieve remote code execution and exfiltr...
CVE-2026-2578
- EPSS 0.22%
- Veröffentlicht 16.03.2026 11:58:09
- Zuletzt bearbeitet 18.03.2026 17:42:38
Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory...
CVE-2026-26246
- EPSS 0.22%
- Veröffentlicht 16.03.2026 11:33:02
- Zuletzt bearbeitet 18.03.2026 18:03:54
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a...
CVE-2026-2458
- EPSS 0.17%
- Veröffentlicht 16.03.2026 11:27:49
- Zuletzt bearbeitet 18.03.2026 17:48:32
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel se...
CVE-2026-2457
- EPSS 0.11%
- Veröffentlicht 16.03.2026 11:20:25
- Zuletzt bearbeitet 18.03.2026 17:49:10
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post...
CVE-2026-2461
- EPSS 0.16%
- Veröffentlicht 16.03.2026 11:16:32
- Zuletzt bearbeitet 20.03.2026 18:30:35
Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermo...
CVE-2026-2463
- EPSS 0.17%
- Veröffentlicht 16.03.2026 11:13:57
- Zuletzt bearbeitet 18.03.2026 17:43:26
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs...
CVE-2026-2456
- EPSS 0.17%
- Veröffentlicht 16.03.2026 11:06:44
- Zuletzt bearbeitet 18.03.2026 18:27:57
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of serv...
CVE-2025-14573
- EPSS 0.16%
- Veröffentlicht 16.02.2026 12:25:32
- Zuletzt bearbeitet 18.02.2026 20:18:01
Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisor...
CVE-2025-13821
- EPSS 0.2%
- Veröffentlicht 16.02.2026 12:16:21
- Zuletzt bearbeitet 18.02.2026 21:44:27
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email veri...