CVE-2026-3117
- EPSS 0.23%
- Veröffentlicht 18.05.2026 08:09:57
- Zuletzt bearbeitet 29.05.2026 19:12:05
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {...
CVE-2026-4286
- EPSS 0.14%
- Veröffentlicht 18.05.2026 08:07:06
- Zuletzt bearbeitet 18.05.2026 19:16:29
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage mem...
CVE-2026-6339
- EPSS 0.11%
- Veröffentlicht 18.05.2026 08:05:30
- Zuletzt bearbeitet 18.05.2026 19:11:13
Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient conse...
CVE-2026-6340
- EPSS 0.24%
- Veröffentlicht 18.05.2026 07:08:56
- Zuletzt bearbeitet 19.05.2026 17:21:26
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a speci...
CVE-2026-6341
- EPSS 0.15%
- Veröffentlicht 18.05.2026 07:05:03
- Zuletzt bearbeitet 29.05.2026 19:11:51
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via di...
CVE-2026-6342
- EPSS 0.15%
- Veröffentlicht 18.05.2026 07:00:24
- Zuletzt bearbeitet 29.05.2026 19:11:57
Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whi...
CVE-2026-3495
- EPSS 0.14%
- Veröffentlicht 18.05.2026 06:58:29
- Zuletzt bearbeitet 19.05.2026 17:37:07
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious ...
CVE-2026-4273
- EPSS 0.14%
- Veröffentlicht 18.05.2026 06:56:11
- Zuletzt bearbeitet 19.05.2026 17:23:36
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and re...
CVE-2026-3637
- EPSS 0.15%
- Veröffentlicht 18.05.2026 06:53:29
- Zuletzt bearbeitet 19.05.2026 17:34:01
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing p...
CVE-2026-2325
- EPSS 0.24%
- Veröffentlicht 18.05.2026 06:51:47
- Zuletzt bearbeitet 18.05.2026 19:17:11
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a c...