CVE-2025-31947
- EPSS 0.29%
- Veröffentlicht 15.05.2025 10:41:42
- Zuletzt bearbeitet 06.10.2025 15:30:17
Mattermost versions 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11 fail to lockout LDAP users following repeated login failures, which allows attackers to lock external LDAP accounts through repeated login failures through Ma...
CVE-2025-41423
- EPSS 0.23%
- Veröffentlicht 24.04.2025 06:50:12
- Zuletzt bearbeitet 29.09.2025 21:06:37
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate permissions for the API endpoint /plugins/playbooks/api/v0/signal/keywords/ignore-thread, allowing any user or attacker to delete posts containing act...
CVE-2025-35965
- EPSS 0.32%
- Veröffentlicht 24.04.2025 06:49:22
- Zuletzt bearbeitet 29.09.2025 21:10:29
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to validate the uniqueness and quantity of task actions within the UpdateRunTaskActions GraphQL operation, which allows an attacker to create task items containing an exce...
CVE-2025-41395
- EPSS 0.4%
- Veröffentlicht 24.04.2025 06:48:31
- Zuletzt bearbeitet 01.10.2025 19:35:27
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.10 fail to properly validate the props used by the RetrospectivePost custom post type in the Playbooks plugin, which allows an attacker to create a specially crafted post with mal...
CVE-2025-2564
- EPSS 0.25%
- Veröffentlicht 16.04.2025 16:12:14
- Zuletzt bearbeitet 29.09.2025 21:13:11
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of ar...
CVE-2025-27936
- EPSS 0.3%
- Veröffentlicht 16.04.2025 09:14:55
- Zuletzt bearbeitet 14.01.2026 14:29:28
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook sec...
CVE-2025-31363
- EPSS 0.25%
- Veröffentlicht 16.04.2025 09:14:15
- Zuletzt bearbeitet 29.09.2025 21:24:36
Mattermost versions 10.4.x <= 10.4.2, 10.5.x <= 10.5.0, 9.11.x <= 9.11.9 fail to restrict domains the LLM can request to contact upstream which allows an authenticated user to exfiltrate data from an arbitrary server accessible to the victim via perf...
CVE-2025-27571
- EPSS 0.24%
- Veröffentlicht 16.04.2025 07:45:58
- Zuletzt bearbeitet 01.10.2025 18:20:18
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to acce...
CVE-2025-27538
- EPSS 0.21%
- Veröffentlicht 16.04.2025 07:45:01
- Zuletzt bearbeitet 01.10.2025 18:20:09
Mattermost versions 10.5.x <= 10.5.1, 9.11.x <= 9.11.9 fail to enforce MFA checks in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user ID, which allows users with edit_other_users permission to activate or deactivate...
CVE-2025-24839
- EPSS 0.2%
- Veröffentlicht 16.04.2025 07:44:20
- Zuletzt bearbeitet 02.10.2025 14:50:00
Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to prevent Wrangler posts from triggering AI responses. This vulnerability allows users without access to the AI bot to activate it by attaching the activate_ai override pr...