CVE-2026-4339
- EPSS 0.1%
- Veröffentlicht 26.06.2026 14:44:58
- Zuletzt bearbeitet 29.06.2026 19:26:34
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to validate attachment URLs against internal or private IP ranges in the Mattermost Agents plugin MCP server which allows an attacker with access to the MCP server in st...
CVE-2026-9699
- EPSS 0.33%
- Veröffentlicht 26.06.2026 14:43:51
- Zuletzt bearbeitet 26.06.2026 16:16:37
Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI A...
CVE-2026-3472
- EPSS 0.19%
- Veröffentlicht 26.06.2026 14:42:24
- Zuletzt bearbeitet 29.06.2026 19:27:20
Mattermost versions 10.11.x <= 10.11.18, 11.6.x <= 11.6.3, 11.5.x <= 11.5.6 fail to properly apply markdown image rendering restrictions to AI bot tool result posts, which allows an authenticated attacker to exfiltrate data to an attacker-controlled ...
CVE-2026-8823
- EPSS 0.23%
- Veröffentlicht 22.06.2026 13:41:28
- Zuletzt bearbeitet 26.06.2026 16:39:58
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisor...
CVE-2026-6062
- EPSS 0.15%
- Veröffentlicht 22.06.2026 13:40:07
- Zuletzt bearbeitet 23.06.2026 20:50:26
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from cha...
CVE-2026-6673
- EPSS 0.18%
- Veröffentlicht 22.06.2026 13:38:56
- Zuletzt bearbeitet 23.06.2026 20:49:21
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlassian Connect installed callbacks, allowing a remote unauthenticated attacker to inject a rogue sharedSecret and disrupt the Jira i...
CVE-2026-8074
- EPSS 0.19%
- Veröffentlicht 22.06.2026 13:37:44
- Zuletzt bearbeitet 23.06.2026 20:48:34
Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot ac...
CVE-2026-9162
- EPSS 0.2%
- Veröffentlicht 22.06.2026 13:36:43
- Zuletzt bearbeitet 23.06.2026 20:47:36
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached authentication state for active WebSocket connections during global session revocation, which allows a user with an existing WebSo...
CVE-2026-5139
- EPSS 0.17%
- Veröffentlicht 22.06.2026 13:34:21
- Zuletzt bearbeitet 23.06.2026 20:50:51
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticate...
CVE-2026-8683
- EPSS 0.2%
- Veröffentlicht 15.06.2026 14:06:21
- Zuletzt bearbeitet 16.06.2026 17:18:55
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to account for attempting to open extremely long URLs in the Mattermost Desktop App which allows a malicious server owner to crash the application via including a script to call window.open on a ver...