CVE-2026-6517
- EPSS 0.19%
- Veröffentlicht 15.06.2026 13:55:25
- Zuletzt bearbeitet 16.06.2026 16:54:47
Mattermost Desktop App versions <=6.1 5.5.13.0 fail to restrict the allow list of domains to which NTLM credentials were forwarded to in the Mattermost Desktop App which allows any user on a server without the image proxy enabled to intercept other u...
CVE-2026-6689
- EPSS 0.15%
- Veröffentlicht 12.06.2026 17:16:27
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), wh...
CVE-2026-6739
- EPSS 0.26%
- Veröffentlicht 12.06.2026 17:16:27
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management per...
CVE-2026-6961
- EPSS 0.29%
- Veröffentlicht 12.06.2026 17:16:27
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federat...
CVE-2026-7184
- EPSS 0.26%
- Veröffentlicht 12.06.2026 17:16:27
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote clus...
CVE-2026-7387
- EPSS 0.3%
- Veröffentlicht 12.06.2026 17:16:27
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a u...
CVE-2026-6046
- EPSS 0.19%
- Veröffentlicht 12.06.2026 17:16:26
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private me...
CVE-2026-3433
- EPSS 0.18%
- Veröffentlicht 12.06.2026 17:16:22
- Zuletzt bearbeitet 15.06.2026 20:56:44
Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-lev...
CVE-2026-6957
- EPSS 0.3%
- Veröffentlicht 27.05.2026 15:16:34
- Zuletzt bearbeitet 02.06.2026 14:29:03
Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary lo...
CVE-2026-4915
- EPSS 0.28%
- Veröffentlicht 25.05.2026 07:10:23
- Zuletzt bearbeitet 01.06.2026 17:57:36
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (se...