Launch Week Day 1: Announcing Security Design Review
Start for Free
go

github.com/mattermost/mattermost-server

View on go registry
100 Total advisories
100 Vulnerabilities
0 Malware

Vulnerabilities

HIGH 7.6
Go

CVE-2026-6347

Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin

MEDIUM 4.3
Go

CVE-2026-2325

Mattermost doesn't limit the size of the request body on the start meeting API endpoint
LOW 3.7
Go

CVE-2026-4273

Mattermost doesn't validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation
HIGH 8.7
Go

CVE-2026-6346

Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
MEDIUM 4.3
Go

CVE-2026-28759

Mattermost does not verify remote cluster channel access when processing shared channel membership removals
LOW 3.5
Go

CVE-2026-6333

Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
MEDIUM 6.5
Go

CVE-2026-6345

Mattermost doesn't prevent disclosure of created user password
MEDIUM 6.5
Go

CVE-2026-5163

Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
MEDIUM 4.3
Go

CVE-2026-6339

Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
MEDIUM 4.3
Go

CVE-2026-28732

Mattermost doesn't enforce slash command trigger-word uniqueness during command updates
MEDIUM 4.3
Go

CVE-2026-3637

Mattermost doesn't check the create_post channel permission during post edit operations
LOW 3.8
Go

CVE-2026-3495

Mattermost doesn't escape some variables that could contain malicious content during error page composition
MEDIUM 4.3
Go

CVE-2026-6340

Mattermost doesn't validate 7zip archive structure before processing
LOW 3.1
Go

CVE-2026-6334

Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption flow
MEDIUM 4.3
Go

CVE-2026-4054

Mattermost doesn't validate the response body of proxied images
LOW 3.1
Go

CVE-2026-4053

Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields
MEDIUM 6.5
Go

CVE-2026-3590

Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
LOW 2.7
Go

CVE-2026-27769

Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
MEDIUM 4.3
Go

CVE-2026-26246

Mattermost fails to bound memory allocation when processing PSD image files
UNKNOWN
Go

CVE-2026-26246

Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server
MEDIUM 4.3
Go

CVE-2026-26233

Mattermost doesn't rate limit login requests, allowing DoS
UNKNOWN
Go

CVE-2026-26233

Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server
LOW 3.8
Go

CVE-2025-14573

Mattermost fails to enforce invite permissions when updating team settings
MEDIUM 5.7
Go

CVE-2025-13821

Mattermost fails to sanitize sensitive data in WebSocket messages
MEDIUM 4.3
Go

CVE-2025-14350

Mattermost fails to properly validate team membership when processing channel mentions
MEDIUM 5.4
Go

CVE-2026-0999

Mattermost fails to properly validate login method restrictions
MEDIUM 5.0
Go

CVE-2026-3113

Mattermost doesn't set permissions on downloaded bulk export
MEDIUM 5.7
Go

CVE-2026-27656

Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
MEDIUM 4.3
Go

CVE-2026-25783

Mattermost fails to properly validate User-Agent header tokens
MEDIUM 5.3
Go

CVE-2026-2456

Mattermost fails to limit the size of responses from integration action endpoints
UNKNOWN
Go

CVE-2026-25783

Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-2456

Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server
LOW 3.1
Go

CVE-2026-22545

Mattermost fails to validate user's authentication method when processing account auth type switch
MEDIUM 4.3
Go

CVE-2026-25780

Mattermost fails to bound memory allocation when processing DOC files
MEDIUM 4.3
Go

CVE-2026-2457

Mattermost allows attackers to spoof permalink embeds
MEDIUM 4.3
Go

CVE-2026-21386

Mattermost fails to use consistent error responses when handling the /mute command
MEDIUM 4.3
Go

CVE-2026-2463

Mattermost fails to filter invite IDs based on user permissions
MEDIUM 4.3
Go

CVE-2026-2455

Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
MEDIUM 4.3
Go

CVE-2026-4265

Mattermost fails to validate team-specific upload_file permissions
HIGH 7.5
Go

CVE-2026-24458

Mattermost fails to properly handle very long passwords
MEDIUM 4.3
Go

CVE-2026-2458

Mattermost allows a removed team member to enumerate all public channels within a private team
MEDIUM 4.3
Go

CVE-2026-2578

Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
MEDIUM 4.3
Go

CVE-2026-24692

Mattermost fails to properly enforce read permissions in search API endpoints
UNKNOWN
Go

CVE-2026-22545

Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-21386

Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-4265

Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-2455

Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-2578

Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-24458

Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-25780

Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-2457

Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-24692

Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-2463

Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2026-2458

Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18904

Mattermost Server vulnerable to XSS via an uploaded file in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18897

Mattermost Server mishandles redirect denial action in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18900

Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18893

Mattermost Server is vulnerable to XSS through display name field in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18896

Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18895

Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18898

Mattermost Server is vulnerable to DoS through maliciously crafted posts in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18894

Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18891

Mattermost Server does not safeguard against phishing via error page links in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18892

Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18901

CVE-2017-18901 in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18905

Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-14273

Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
UNKNOWN
Go

CVE-2025-13352

Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2025-13324

Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2025-62690

Mattermost has missing redirect URL validation in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2017-18871

Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18884

Mattermost Server exposes OAuth personal access tokens to attackers in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18902

Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18888

Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18885

Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18887

Mattermost Server exposes team creator's e-mail address to other members in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18877

Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18890

Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18889

Mattermost Server is vulnerable to webhook and slash command manipulation in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-13870

Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2017-18883

Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18879

Mattermost Server is vulnerable to XSS through author_link field in Slack attachments in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18886

Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-12421

Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2017-18870

CVE-2017-18870 in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-12756

Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2025-12559

Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-12419

Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-41436

Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2018-21258

Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-55070

Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-55073

Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-55074

Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-11794

Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-11776

Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2025-11777

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost
UNKNOWN
Go

CVE-2016-11080

Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2016-11084

Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2016-11083

Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server
UNKNOWN
Go

CVE-2025-9081

Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes