CVE-2026-0999
- EPSS 0.17%
- Veröffentlicht 16.02.2026 09:47:45
- Zuletzt bearbeitet 18.02.2026 20:20:07
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Adviso...
CVE-2026-20796
- EPSS 0.2%
- Veröffentlicht 13.02.2026 10:30:03
- Zuletzt bearbeitet 23.02.2026 15:53:11
Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoin...
CVE-2026-22892
- EPSS 0.24%
- Veröffentlicht 13.02.2026 10:29:00
- Zuletzt bearbeitet 18.02.2026 21:34:16
Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content a...
CVE-2025-14435
- EPSS 0.27%
- Veröffentlicht 16.01.2026 11:25:35
- Zuletzt bearbeitet 20.01.2026 15:06:30
Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.
CVE-2025-14822
- EPSS 0.32%
- Veröffentlicht 16.01.2026 08:52:43
- Zuletzt bearbeitet 20.01.2026 15:11:19
Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens
CVE-2025-64641
- EPSS 0.15%
- Veröffentlicht 24.12.2025 08:15:46
- Zuletzt bearbeitet 31.12.2025 18:55:29
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jir...
CVE-2025-13767
- EPSS 0.17%
- Veröffentlicht 24.12.2025 08:15:45
- Zuletzt bearbeitet 31.12.2025 18:56:27
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to...
CVE-2025-14273
- EPSS 0.23%
- Veröffentlicht 22.12.2025 11:24:55
- Zuletzt bearbeitet 29.12.2025 18:47:45
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin,...
CVE-2025-13326
- EPSS 0.09%
- Veröffentlicht 17.12.2025 18:14:14
- Zuletzt bearbeitet 18.12.2025 19:47:06
Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.
CVE-2025-13324
- EPSS 0.17%
- Veröffentlicht 17.12.2025 18:14:13
- Zuletzt bearbeitet 29.12.2025 18:46:13
Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an a...