{"ecosystem":"go","package":"github.com/mattermost/mattermost-server","version":null,"bugs":[{"id":5776,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-wvjg-33p9-938h","title":"Mattermost Server does not properly restrict use of slash commands","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18886","labels":["CVE-2017-18886","GO-2025-4204"],"created_at":"2026-04-26 03:02:13.168531+00:00","updated_at":"2026-04-26 03:02:13.168531+00:00"},{"id":5760,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.1.1","bug_id":"osv:GHSA-r93j-3mmp-px57","title":"Mattermost Server: initial_load API exposes unnecessary information","description":"An issue was discovered in Mattermost Server before 3.1.1. The initial_load API disclosed unnecessary personal information.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11066","labels":["CVE-2016-11066","GO-2025-4047"],"created_at":"2026-04-26 03:02:13.120750+00:00","updated_at":"2026-04-26 03:02:13.120750+00:00"},{"id":5759,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250815100400-2d5cdc6e217e","bug_id":"osv:GHSA-r6qj-894f-5hr2","title":"Mattermost has a Missing Authorization vulnerability","description":"Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the RelayState.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58075","labels":["CVE-2025-58075","GO-2025-4035"],"created_at":"2026-04-26 03:02:13.117865+00:00","updated_at":"2026-04-26 03:02:13.117865+00:00"},{"id":5758,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.8.1-0.20170504181128-4f074fed0d65","bug_id":"osv:GHSA-r6j5-fqx9-7qv9","title":"Mattermost Server SAML implementation does not require encryption or signature verification as default","description":"An issue was discovered in Mattermost Server before 3.9.0 when SAML is used. Encryption and signature verification are not mandatory.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18909","labels":["CVE-2017-18909","GO-2026-4478"],"created_at":"2026-04-26 03:02:13.115048+00:00","updated_at":"2026-04-26 03:02:13.115048+00:00"},{"id":5756,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-qx3f-6vq3-8j8m","title":"Mattermost Path Traversal vulnerability","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9079","labels":["CVE-2025-9079","GO-2025-3977"],"created_at":"2026-04-26 03:02:13.109496+00:00","updated_at":"2026-04-26 03:02:13.109496+00:00"},{"id":5754,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.2.0","bug_id":"osv:GHSA-qrf6-h5fc-7m96","title":"Mattermost Server does not enforce rate limits on password change attempts","description":"An issue was discovered in Mattermost Server before 3.2.0. It mishandles brute-force attempts at password change.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11069","labels":["CVE-2016-11069","GO-2025-4051"],"created_at":"2026-04-26 03:02:13.103787+00:00","updated_at":"2026-04-26 03:02:13.103787+00:00"},{"id":5737,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260129164748-7201f42d955f","bug_id":"osv:GHSA-m5rv-56xx-hfc6","title":"Mattermost fails to properly handle very long passwords","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly handle very long passwords, which allows an attacker to overload the server CPU and memory via executing login attempts with multi-megabyte passwords. Mattermost Advisory ID: MMSA-2026-00587","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24458","labels":["CVE-2026-24458","GO-2026-4731"],"created_at":"2026-04-26 03:02:13.056737+00:00","updated_at":"2026-04-26 03:02:13.056737+00:00"},{"id":5734,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.7.4-0.20170404171331-0b5c0794fdcb","bug_id":"osv:GHSA-m2ch-x2q7-2284","title":"Mattermost Server allows an attacker to specify a full pathname of a log file","description":"An issue was discovered in Mattermost Server before 3.7.5. It allows an attacker to specify a full pathname of a log file.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18912","labels":["CVE-2017-18912","GO-2026-4487"],"created_at":"2026-04-26 03:02:13.048310+00:00","updated_at":"2026-04-26 03:02:13.048310+00:00"},{"id":5733,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.7.5-0.20170421192444-247cd1e51a8c","bug_id":"osv:GHSA-jxc4-w54c-qv5r","title":"Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations","description":"An issue was discovered in Mattermost Server before 3.8.2 and 3.7.5. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18917","labels":["CVE-2017-18917","GO-2026-4463"],"created_at":"2026-04-26 03:02:13.045605+00:00","updated_at":"2026-04-26 03:02:13.045605+00:00"},{"id":5729,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.2.2","bug_id":"osv:GHSA-jc6w-8r7f-vmp5","title":"Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names","description":"An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service (application crash) via an @ character before a JavaScript field name.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18871","labels":["CVE-2017-18871","GO-2025-4184"],"created_at":"2026-04-26 03:02:13.034467+00:00","updated_at":"2026-04-26 03:02:13.034467+00:00"},{"id":5727,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-j26g-95ph-2mwv","title":"Mattermost Server: Insufficient Password-Reset Link Invalidation","description":"An issue was discovered in Mattermost Server before 3.0.0. A password-reset link could be reused.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11074","labels":["CVE-2016-11074","GO-2025-4059"],"created_at":"2026-04-26 03:02:13.028959+00:00","updated_at":"2026-04-26 03:02:13.028959+00:00"},{"id":5713,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-gg42-mwr6-p82c","title":"Mattermost Server has intermittent Authorization bypass for resource-owners","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Resource-owner authorization can be intermittently bypassed, allowing account takeover.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18894","labels":["CVE-2017-18894","GO-2026-4297"],"created_at":"2026-04-26 03:02:12.990091+00:00","updated_at":"2026-04-26 03:02:12.990091+00:00"},{"id":5707,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.9.2-0.20170714134023-b17fca0d5ee7","bug_id":"osv:GHSA-fpcr-4rr5-hpcp","title":"Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used","description":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when Single Sign-On OAuth2 is used. An attacker could claim somebody else's account.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18906","labels":["CVE-2017-18906","GO-2026-4477"],"created_at":"2026-04-26 03:02:12.973740+00:00","updated_at":"2026-04-26 03:02:12.973740+00:00"},{"id":5702,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.9.2","bug_id":"osv:GHSA-fcwg-45jh-5qhf","title":"Mattermost Server vulnerable to CSRF if CORS is enabled","description":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. CSRF can occur if CORS is enabled.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18903","labels":["CVE-2017-18903","GO-2026-4305"],"created_at":"2026-04-26 03:02:12.959902+00:00","updated_at":"2026-04-26 03:02:12.959902+00:00"},{"id":5675,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250807174701-e14175eb6539","bug_id":"osv:GHSA-6q7m-p8cc-998r","title":"Mattermost has a Missing Authorization vulnerability","description":"Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using the original invite token which allows any attacked to join any team on a Mattermost server regardless of restrictions via manipulating the OAuth state.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58073","labels":["CVE-2025-58073","GO-2025-4032"],"created_at":"2026-04-26 03:02:12.884987+00:00","updated_at":"2026-04-26 03:02:12.884987+00:00"},{"id":5674,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0","fixed_version":"10.10.2","bug_id":"osv:GHSA-69j8-prx2-vx98","title":"Mattermost Open Redirect vulnerability","description":"Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9072","labels":["CVE-2025-9072","GO-2025-3958"],"created_at":"2026-04-26 03:02:12.882135+00:00","updated_at":"2026-04-26 03:02:12.882135+00:00"},{"id":5667,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"5.1.0","bug_id":"osv:GHSA-5mh6-p63g-3mv5","title":"Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command","description":"An issue was discovered in Mattermost Server before 5.1.0. It allows attackers to cause a denial of service via the invite_people slash command.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-21258","labels":["CVE-2018-21258","GO-2025-4146"],"created_at":"2026-04-26 03:02:12.859967+00:00","updated_at":"2026-04-26 03:02:12.859967+00:00"},{"id":5645,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-379p-37xc-q963","title":"Mattermost Server does not check if cookies are used over SSL","description":"An issue was discovered in Mattermost Server before 3.0.0. It does not ensure that a cookie is used over SSL.","severity":"high","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11076","labels":["CVE-2016-11076","GO-2025-4054"],"created_at":"2026-04-26 03:02:12.796232+00:00","updated_at":"2026-04-26 03:02:12.796232+00:00"},{"id":6020,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.4.0-rc1+incompatible","fixed_version":"11.4.1+incompatible","bug_id":"osv:GO-2026-4916","title":"Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server","description":"Mattermost doesn't rate limit login requests, allowing DoS in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v8.0.0-20260105080200-d27a2195068d before v8.0.0-20260217110922-b7d4a1f1f59b.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-247x-7qw8-fp98","labels":["CVE-2026-26233","GHSA-247x-7qw8-fp98"],"created_at":"2026-04-26 03:02:13.878451+00:00","updated_at":"2026-04-26 03:02:13.878451+00:00"},{"id":6019,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4786","title":"Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server","description":"Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127144908-ced9a56e3988.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rv67-7w2g-7976","labels":["CVE-2026-22545","GHSA-rv67-7w2g-7976"],"created_at":"2026-04-26 03:02:13.875694+00:00","updated_at":"2026-04-26 03:02:13.875694+00:00"},{"id":6018,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4749","title":"Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server","description":"Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107144005-c7f6efdfb035.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xpvf-6qcc-9jqc","labels":["CVE-2026-4265","GHSA-xpvf-6qcc-9jqc"],"created_at":"2026-04-26 03:02:13.872873+00:00","updated_at":"2026-04-26 03:02:13.872873+00:00"},{"id":6017,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4746","title":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server","description":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129133647-5d787969c2d5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-gqv7-j2j8-qmwq","labels":["CVE-2026-2455","GHSA-gqv7-j2j8-qmwq"],"created_at":"2026-04-26 03:02:13.870121+00:00","updated_at":"2026-04-26 03:02:13.870121+00:00"},{"id":6016,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4745","title":"Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107142155-0481bd1fb045.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cwfj-642j-gfh4","labels":["CVE-2026-24692","GHSA-cwfj-642j-gfh4"],"created_at":"2026-04-26 03:02:13.864595+00:00","updated_at":"2026-04-26 03:02:13.864595+00:00"},{"id":6015,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4744","title":"Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server","description":"Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260130144323-5bb5261c72fa.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5mr9-crcg-8wh2","labels":["CVE-2026-21386","GHSA-5mr9-crcg-8wh2"],"created_at":"2026-04-26 03:02:13.861781+00:00","updated_at":"2026-04-26 03:02:13.861781+00:00"},{"id":6014,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4735","title":"Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server","description":"Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260105134819-cc427af41b2a.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fx49-m253-27jj","labels":["CVE-2026-2463","GHSA-fx49-m253-27jj"],"created_at":"2026-04-26 03:02:13.858973+00:00","updated_at":"2026-04-26 03:02:13.858973+00:00"},{"id":6013,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4734","title":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server","description":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127062706-c6b205f0d770.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3rhr-jr63-hwq5","labels":["CVE-2026-2578","GHSA-3rhr-jr63-hwq5"],"created_at":"2026-04-26 03:02:13.856189+00:00","updated_at":"2026-04-26 03:02:13.856189+00:00"},{"id":6012,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4733","title":"Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server","description":"Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123215601-86797c508c44.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xv2p-wchj-qjhp","labels":["CVE-2026-25780","GHSA-xv2p-wchj-qjhp"],"created_at":"2026-04-26 03:02:13.853477+00:00","updated_at":"2026-04-26 03:02:13.853477+00:00"},{"id":6011,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4732","title":"Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server","description":"Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123211116-9efe617be8b8.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-ph22-fw5m-w2q9","labels":["CVE-2026-2457","GHSA-ph22-fw5m-w2q9"],"created_at":"2026-04-26 03:02:13.850621+00:00","updated_at":"2026-04-26 03:02:13.850621+00:00"},{"id":6010,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4731","title":"Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129164748-7201f42d955f.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-m5rv-56xx-hfc6","labels":["CVE-2026-24458","GHSA-m5rv-56xx-hfc6"],"created_at":"2026-04-26 03:02:13.847805+00:00","updated_at":"2026-04-26 03:02:13.847805+00:00"},{"id":6009,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4729","title":"Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server","description":"Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260113182106-a18b80ba4c32.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-679f-wmrg-qf57","labels":["CVE-2026-2458","GHSA-679f-wmrg-qf57"],"created_at":"2026-04-26 03:02:13.845032+00:00","updated_at":"2026-04-26 03:02:13.845032+00:00"},{"id":6008,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4727","title":"Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server","description":"Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260115183946-38b413a27604.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26246","labels":["CVE-2026-26246","GHSA-44mv-jq72-gj49"],"created_at":"2026-04-26 03:02:13.842166+00:00","updated_at":"2026-04-26 03:02:13.842166+00:00"},{"id":6007,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4726","title":"Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server","description":"Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127165411-fe3052073dc6.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-34g8-9fpp-46ch","labels":["CVE-2026-2456","GHSA-34g8-9fpp-46ch"],"created_at":"2026-04-26 03:02:13.839342+00:00","updated_at":"2026-04-26 03:02:13.839342+00:00"},{"id":6006,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4725","title":"Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129181235-1346cf529aef.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2v3w-6g35-5f9v","labels":["CVE-2026-25783","GHSA-2v3w-6g35-5f9v"],"created_at":"2026-04-26 03:02:13.836631+00:00","updated_at":"2026-04-26 03:02:13.836631+00:00"},{"id":6005,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4524","title":"Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server","description":"Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251210191531-cd17b61de41b.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-pp9j-pf5c-659x","labels":["CVE-2025-13821","GHSA-pp9j-pf5c-659x"],"created_at":"2026-04-26 03:02:13.833867+00:00","updated_at":"2026-04-26 03:02:13.833867+00:00"},{"id":6004,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4523","title":"Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server","description":"Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251215190648-6404ab29acc0.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-cgjg-p2m2-qm4p","labels":["CVE-2025-14573","GHSA-cgjg-p2m2-qm4p"],"created_at":"2026-04-26 03:02:13.831154+00:00","updated_at":"2026-04-26 03:02:13.831154+00:00"},{"id":6003,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4521","title":"Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251209134645-761e56bb11cc.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-57cc-2pf4-mhmx","labels":["CVE-2025-14350","GHSA-57cc-2pf4-mhmx"],"created_at":"2026-04-26 03:02:13.828312+00:00","updated_at":"2026-04-26 03:02:13.828312+00:00"},{"id":6002,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4520","title":"Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251212052346-61651b0df7ea.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-3c9r-7f29-qp32","labels":["CVE-2026-0999","GHSA-3c9r-7f29-qp32"],"created_at":"2026-04-26 03:02:13.825555+00:00","updated_at":"2026-04-26 03:02:13.825555+00:00"},{"id":6001,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.2.0+incompatible","fixed_version":"11.2.2+incompatible","bug_id":"osv:GO-2026-4496","title":"Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server","description":"Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9pj7-jh2r-87g8","labels":["CVE-2026-22892","GHSA-9pj7-jh2r-87g8"],"created_at":"2026-04-26 03:02:13.822788+00:00","updated_at":"2026-04-26 03:02:13.822788+00:00"},{"id":6000,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.10+incompatible","bug_id":"osv:GO-2026-4495","title":"Mattermost doesn't properly validate channel membership at the time of data retrieval in github.com/mattermost/mattermost-server","description":"Mattermost doesn't properly validate channel membership at the time of data retrieval in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2xf7-hmf6-p64j","labels":["CVE-2026-20796","GHSA-2xf7-hmf6-p64j"],"created_at":"2026-04-26 03:02:13.819990+00:00","updated_at":"2026-04-26 03:02:13.819990+00:00"},{"id":5999,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2026-4487","title":"Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server","description":"Mattermost Server allows an attacker to specify a full pathname of a log file in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.7.4-0.20170404171331-0b5c0794fdcb.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-m2ch-x2q7-2284","labels":["CVE-2017-18912","GHSA-m2ch-x2q7-2284"],"created_at":"2026-04-26 03:02:13.817186+00:00","updated_at":"2026-04-26 03:02:13.817186+00:00"},{"id":5998,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2026-4478","title":"Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server","description":"Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.8.1-0.20170504181128-4f074fed0d65.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-r6j5-fqx9-7qv9","labels":["CVE-2017-18909","GHSA-r6j5-fqx9-7qv9"],"created_at":"2026-04-26 03:02:13.814376+00:00","updated_at":"2026-04-26 03:02:13.814376+00:00"},{"id":5997,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.10.0+incompatible","fixed_version":"3.10.2+incompatible","bug_id":"osv:GO-2026-4477","title":"Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.9.2-0.20170714134023-b17fca0d5ee7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fpcr-4rr5-hpcp","labels":["CVE-2017-18906","GHSA-fpcr-4rr5-hpcp"],"created_at":"2026-04-26 03:02:13.811599+00:00","updated_at":"2026-04-26 03:02:13.811599+00:00"},{"id":5996,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.10.0+incompatible","fixed_version":"3.10.1+incompatible","bug_id":"osv:GO-2026-4476","title":"Mattermost Server password reset email requests can be sent to attacker-provided email addresses in github.com/mattermost/mattermost-server","description":"Mattermost Server password reset email requests can be sent to attacker-provided email addresses in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-34cx-hvm4-vx7j","labels":["CVE-2017-18908","GHSA-34cx-hvm4-vx7j"],"created_at":"2026-04-26 03:02:13.808833+00:00","updated_at":"2026-04-26 03:02:13.808833+00:00"},{"id":5995,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.8.0+incompatible","fixed_version":"3.8.2+incompatible","bug_id":"osv:GO-2026-4467","title":"Mattermost Server has Improper Authorization for Integration Requests in github.com/mattermost/mattermost-server","description":"Mattermost Server has Improper Authorization for Integration Requests in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.6.7-0.20170420152529-0968e4079e0a.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x33g-375j-jhf7","labels":["CVE-2017-18916","GHSA-x33g-375j-jhf7"],"created_at":"2026-04-26 03:02:13.805980+00:00","updated_at":"2026-04-26 03:02:13.805980+00:00"},{"id":5994,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.8.0+incompatible","fixed_version":"3.8.2+incompatible","bug_id":"osv:GO-2026-4464","title":"Mattermost Server has X.509 Improper Certificate Validation in github.com/mattermost/mattermost-server","description":"Mattermost Server has X.509 Improper Certificate Validation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-m462-mqw4-2c8m","labels":["CVE-2017-18911","GHSA-m462-mqw4-2c8m"],"created_at":"2026-04-26 03:02:13.803235+00:00","updated_at":"2026-04-26 03:02:13.803235+00:00"},{"id":5993,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.8.0+incompatible","fixed_version":"3.8.2+incompatible","bug_id":"osv:GO-2026-4463","title":"Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server","description":"Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.7.5-0.20170421192444-247cd1e51a8c.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jxc4-w54c-qv5r","labels":["CVE-2017-18917","GHSA-jxc4-w54c-qv5r"],"created_at":"2026-04-26 03:02:13.800477+00:00","updated_at":"2026-04-26 03:02:13.800477+00:00"},{"id":5992,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.8.0+incompatible","fixed_version":"3.8.2+incompatible","bug_id":"osv:GO-2026-4462","title":"Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server","description":"Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.6.7-0.20170420152529-0968e4079e0a.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hxxj-8phw-74vw","labels":["CVE-2017-18915","GHSA-hxxj-8phw-74vw"],"created_at":"2026-04-26 03:02:13.797543+00:00","updated_at":"2026-04-26 03:02:13.797543+00:00"},{"id":5991,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.7.0+incompatible","fixed_version":"3.7.3+incompatible","bug_id":"osv:GO-2026-4460","title":"Mattermost Server does not restrict SAML certificate path for System Administrators in github.com/mattermost/mattermost-server","description":"Mattermost Server does not restrict SAML certificate path for System Administrators in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5ghq-28r7-qwfj","labels":["CVE-2017-18918","GHSA-5ghq-28r7-qwfj"],"created_at":"2026-04-26 03:02:13.794677+00:00","updated_at":"2026-04-26 03:02:13.794677+00:00"},{"id":5990,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.10.0+incompatible","fixed_version":"3.10.2+incompatible","bug_id":"osv:GO-2026-4459","title":"Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.9.2-0.20170714014920-312269ad0bd1.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-42x9-rr3c-gr59","labels":["CVE-2017-18907","GHSA-42x9-rr3c-gr59"],"created_at":"2026-04-26 03:02:13.791822+00:00","updated_at":"2026-04-26 03:02:13.791822+00:00"},{"id":5989,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.1.0+incompatible","fixed_version":"11.1.2+incompatible","bug_id":"osv:GO-2026-4326","title":"Mattermost is vulnerable to DoS due to infinite re-renders on API errors in github.com/mattermost/mattermost-server","description":"Mattermost is vulnerable to DoS due to infinite re-renders on API errors in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mx8m-v8qm-xwr8","labels":["CVE-2025-14435","GHSA-mx8m-v8qm-xwr8"],"created_at":"2026-04-26 03:02:13.789079+00:00","updated_at":"2026-04-26 03:02:13.789079+00:00"},{"id":5988,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.0.1+incompatible","fixed_version":"11.2.0+incompatible","bug_id":"osv:GO-2026-4325","title":"Mattermost is vulnerable to CPU exhaustion via crafted HTTP request in github.com/mattermost/mattermost-server","description":"Mattermost is vulnerable to CPU exhaustion via crafted HTTP request in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9r42-rhw3-2222","labels":["CVE-2025-14822","GHSA-9r42-rhw3-2222"],"created_at":"2026-04-26 03:02:13.786354+00:00","updated_at":"2026-04-26 03:02:13.786354+00:00"},{"id":5987,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4317","title":"Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server","description":"Mattermost Server does not neutralize HTML content in an Email template field in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wj5w-qghh-gvqp","labels":["CVE-2017-18892","GHSA-wj5w-qghh-gvqp"],"created_at":"2026-04-26 03:02:13.783596+00:00","updated_at":"2026-04-26 03:02:13.783596+00:00"},{"id":5986,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.10.0+incompatible","fixed_version":"3.10.2+incompatible","bug_id":"osv:GO-2026-4306","title":"Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider in github.com/mattermost/mattermost-server","description":"Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-g24c-fx4v-xg9w","labels":["CVE-2017-18905","GHSA-g24c-fx4v-xg9w"],"created_at":"2026-04-26 03:02:13.780836+00:00","updated_at":"2026-04-26 03:02:13.780836+00:00"},{"id":5985,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.10.0+incompatible","fixed_version":"3.10.2+incompatible","bug_id":"osv:GO-2026-4305","title":"Mattermost Server vulnerable to CSRF if CORS is enabled in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to CSRF if CORS is enabled in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fcwg-45jh-5qhf","labels":["CVE-2017-18903","GHSA-fcwg-45jh-5qhf"],"created_at":"2026-04-26 03:02:13.778040+00:00","updated_at":"2026-04-26 03:02:13.778040+00:00"},{"id":5984,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2026-4304","title":"CVE-2017-18901 in github.com/mattermost/mattermost-server","description":"CVE-2017-18901 in github.com/mattermost/mattermost-server","severity":"medium","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18901","labels":["CVE-2017-18901","GHSA-c253-8hr4-r8v9"],"created_at":"2026-04-26 03:02:13.775231+00:00","updated_at":"2026-04-26 03:02:13.775231+00:00"},{"id":5983,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.0.0+incompatible","fixed_version":"4.0.3+incompatible","bug_id":"osv:GO-2026-4303","title":"Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8q4v-35v6-g8wr","labels":["CVE-2017-18900","GHSA-8q4v-35v6-g8wr"],"created_at":"2026-04-26 03:02:13.772513+00:00","updated_at":"2026-04-26 03:02:13.772513+00:00"},{"id":5982,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.10.0+incompatible","fixed_version":"3.10.2+incompatible","bug_id":"osv:GO-2026-4302","title":"Mattermost Server vulnerable to XSS via an uploaded file in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to XSS via an uploaded file in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8pff-p3gx-w4jf","labels":["CVE-2017-18904","GHSA-8pff-p3gx-w4jf"],"created_at":"2026-04-26 03:02:13.769728+00:00","updated_at":"2026-04-26 03:02:13.769728+00:00"},{"id":5981,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4301","title":"Mattermost Server mishandles redirect denial action in github.com/mattermost/mattermost-server","description":"Mattermost Server mishandles redirect denial action in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-f7c3-7vp3-44p6","labels":["CVE-2017-18897","GHSA-f7c3-7vp3-44p6"],"created_at":"2026-04-26 03:02:13.766903+00:00","updated_at":"2026-04-26 03:02:13.766903+00:00"},{"id":5980,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4300","title":"Mattermost Server is vulnerable to DoS through maliciously crafted posts in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to DoS through maliciously crafted posts in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9589-mq83-f749","labels":["CVE-2017-18898","GHSA-9589-mq83-f749"],"created_at":"2026-04-26 03:02:13.764134+00:00","updated_at":"2026-04-26 03:02:13.764134+00:00"},{"id":5979,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4299","title":"Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint in github.com/mattermost/mattermost-server","description":"Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-63wg-qmrv-7q66","labels":["CVE-2017-18896","GHSA-63wg-qmrv-7q66"],"created_at":"2026-04-26 03:02:13.761297+00:00","updated_at":"2026-04-26 03:02:13.761297+00:00"},{"id":5978,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4298","title":"Mattermost Server does not safeguard against phishing via error page links in github.com/mattermost/mattermost-server","description":"Mattermost Server does not safeguard against phishing via error page links in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vrh2-rprg-rgc6","labels":["CVE-2017-18891","GHSA-vrh2-rprg-rgc6"],"created_at":"2026-04-26 03:02:13.758434+00:00","updated_at":"2026-04-26 03:02:13.758434+00:00"},{"id":5977,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4297","title":"Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server","description":"Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-gg42-mwr6-p82c","labels":["CVE-2017-18894","GHSA-gg42-mwr6-p82c"],"created_at":"2026-04-26 03:02:13.755610+00:00","updated_at":"2026-04-26 03:02:13.755610+00:00"},{"id":5976,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4296","title":"Mattermost Server is vulnerable to XSS through display name field in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS through display name field in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-887v-xh2x-47cm","labels":["CVE-2017-18893","GHSA-887v-xh2x-47cm"],"created_at":"2026-04-26 03:02:13.752739+00:00","updated_at":"2026-04-26 03:02:13.752739+00:00"},{"id":5975,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.2.0-rc1+incompatible","fixed_version":"4.2.0+incompatible","bug_id":"osv:GO-2026-4295","title":"Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes sensitive user status information via REST API version 4 endpoint in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h742-xx59-r9pq","labels":["CVE-2017-18895","GHSA-h742-xx59-r9pq"],"created_at":"2026-04-26 03:02:13.749850+00:00","updated_at":"2026-04-26 03:02:13.749850+00:00"},{"id":5974,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2026-4282","title":"Mattermost Server is vulnerable to channel invisibility DoS via misformatted post in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to channel invisibility DoS via misformatted post in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171013141717-ee57a5829ab1, before v4.2.1-0.20171013140502-b3e4b0ac9168.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x6mw-hf2j-vqpc","labels":["CVE-2017-18873","GHSA-x6mw-hf2j-vqpc"],"created_at":"2026-04-26 03:02:13.746993+00:00","updated_at":"2026-04-26 03:02:13.746993+00:00"},{"id":5973,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251121122154-b57c297c6d7a","bug_id":"osv:GO-2026-4275","title":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira","description":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.4.1.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qvmc-92vg-6r35","labels":["CVE-2025-14273","GHSA-qvmc-92vg-6r35"],"created_at":"2026-04-26 03:02:13.741416+00:00","updated_at":"2026-04-26 03:02:13.741416+00:00"},{"id":5972,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.1.0+incompatible","fixed_version":"11.1.1+incompatible","bug_id":"osv:GO-2025-4260","title":"Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server","description":"Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vww6-79rv-3j4x","labels":["CVE-2025-64641","GHSA-vww6-79rv-3j4x"],"created_at":"2026-04-26 03:02:13.738630+00:00","updated_at":"2026-04-26 03:02:13.738630+00:00"},{"id":5971,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.1.0+incompatible","fixed_version":"11.1.1+incompatible","bug_id":"osv:GO-2025-4259","title":"Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server","description":"Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fmqf-pmcm-8cx9","labels":["CVE-2025-13767","GHSA-fmqf-pmcm-8cx9"],"created_at":"2026-04-26 03:02:13.735858+00:00","updated_at":"2026-04-26 03:02:13.735858+00:00"},{"id":5970,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.0.0-alpha.1+incompatible","fixed_version":"11.0.4+incompatible","bug_id":"osv:GO-2025-4256","title":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost","description":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x3r8-2hmh-89f5","labels":["CVE-2025-13324","GHSA-x3r8-2hmh-89f5"],"created_at":"2026-04-26 03:02:13.733107+00:00","updated_at":"2026-04-26 03:02:13.733107+00:00"},{"id":5969,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0-rc1+incompatible","fixed_version":"11.1.0+incompatible","bug_id":"osv:GO-2025-4248","title":"Mattermost has missing redirect URL validation in github.com/mattermost/mattermost","description":"Mattermost has missing redirect URL validation in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.5-0.20251016131338-dad6bd7a1509.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q66g-q98c-q454","labels":["CVE-2025-62690","GHSA-q66g-q98c-q454"],"created_at":"2026-04-26 03:02:13.730298+00:00","updated_at":"2026-04-26 03:02:13.730298+00:00"},{"id":5968,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.0.0-alpha.1+incompatible","fixed_version":"11.1.0+incompatible","bug_id":"osv:GO-2025-4247","title":"Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost","description":"Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.7-0.20251106103514-3b05384dd014; github.com/mattermost/mattermost-server before v10.11.7-0.20251106103514-3b05384dd014.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jf5h-xfw4-p8gp","labels":["CVE-2025-13352","GHSA-jf5h-xfw4-p8gp"],"created_at":"2026-04-26 03:02:13.727569+00:00","updated_at":"2026-04-26 03:02:13.727569+00:00"},{"id":5967,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4204","title":"Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server","description":"Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wvjg-33p9-938h","labels":["CVE-2017-18886","GHSA-wvjg-33p9-938h"],"created_at":"2026-04-26 03:02:13.724839+00:00","updated_at":"2026-04-26 03:02:13.724839+00:00"},{"id":5966,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4203","title":"Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v2vm-hq26-5jv6","labels":["CVE-2017-18888","GHSA-v2vm-hq26-5jv6"],"created_at":"2026-04-26 03:02:13.722115+00:00","updated_at":"2026-04-26 03:02:13.722115+00:00"},{"id":5965,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4202","title":"Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server","description":"Mattermost Server allows attackers to create buttons that can launch API requests in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-m497-hq5x-6jcv","labels":["CVE-2017-18890","GHSA-m497-hq5x-6jcv"],"created_at":"2026-04-26 03:02:13.719365+00:00","updated_at":"2026-04-26 03:02:13.719365+00:00"},{"id":5964,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4201","title":"Mattermost Server is vulnerable to webhook and slash command manipulation in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to webhook and slash command manipulation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jp57-4x34-5v94","labels":["CVE-2017-18889","GHSA-jp57-4x34-5v94"],"created_at":"2026-04-26 03:02:13.716499+00:00","updated_at":"2026-04-26 03:02:13.716499+00:00"},{"id":5963,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4200","title":"Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server","description":"Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-g78f-6xq7-rrhq","labels":["CVE-2017-18885","GHSA-g78f-6xq7-rrhq"],"created_at":"2026-04-26 03:02:13.713726+00:00","updated_at":"2026-04-26 03:02:13.713726+00:00"},{"id":5962,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4199","title":"Mattermost Server exposes team creator's e-mail address to other members in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes team creator's e-mail address to other members in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-35c4-5qfp-wxj6","labels":["CVE-2017-18887","GHSA-35c4-5qfp-wxj6"],"created_at":"2026-04-26 03:02:13.710956+00:00","updated_at":"2026-04-26 03:02:13.710956+00:00"},{"id":5961,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4198","title":"Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider in github.com/mattermost/mattermost-server","description":"Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-w8cc-3h7q-jhc3","labels":["CVE-2017-18883","GHSA-w8cc-3h7q-jhc3"],"created_at":"2026-04-26 03:02:13.708188+00:00","updated_at":"2026-04-26 03:02:13.708188+00:00"},{"id":5960,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4197","title":"Mattermost Server exposes OAuth personal access tokens to attackers in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes OAuth personal access tokens to attackers in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-876j-jfqf-m7j7","labels":["CVE-2017-18884","GHSA-876j-jfqf-m7j7"],"created_at":"2026-04-26 03:02:13.705345+00:00","updated_at":"2026-04-26 03:02:13.705345+00:00"},{"id":5959,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4191","title":"Mattermost Server allows users with a session ID to revoke another users' session in github.com/mattermost/mattermost-server","description":"Mattermost Server allows users with a session ID to revoke another users' session in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60c, before v4.2.1-0.20171004192657-8fbbd688ea24.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h564-6gc2-fcc6","labels":["CVE-2017-18878","GHSA-h564-6gc2-fcc6"],"created_at":"2026-04-26 03:02:13.702590+00:00","updated_at":"2026-04-26 03:02:13.702590+00:00"},{"id":5958,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4190","title":"Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9x8x-w6g5-hx4w","labels":["CVE-2017-18877","GHSA-9x8x-w6g5-hx4w"],"created_at":"2026-04-26 03:02:13.699777+00:00","updated_at":"2026-04-26 03:02:13.699777+00:00"},{"id":5957,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4189","title":"Mattermost Server is vulnerable to XSS through author_link field in Slack attachments in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS through author_link field in Slack attachments in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-498j-wxww-j897","labels":["CVE-2017-18879","GHSA-498j-wxww-j897"],"created_at":"2026-04-26 03:02:13.697071+00:00","updated_at":"2026-04-26 03:02:13.697071+00:00"},{"id":5956,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4187","title":"Mattermost Server is vulnerable to Path Traversal when files are stored locally in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to Path Traversal when files are stored locally in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60c, from v4.2.0-rc1.0.20171004154238-fadd9514f6e7 before v4.2.1-0.20171004194140-6d3cb2ce07fc.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hjqh-j6rj-gh8q","labels":["CVE-2017-18876","GHSA-hjqh-j6rj-gh8q"],"created_at":"2026-04-26 03:02:13.694340+00:00","updated_at":"2026-04-26 03:02:13.694340+00:00"},{"id":5955,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4186","title":"Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server","description":"Mattermost Server does not prevent System Admin from arbitrary file creation in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60c, from v4.2.0-rc1.0.20171004154238-fadd9514f6e7 before v4.2.1-0.20171004194140-6d3cb2ce07fc.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9rr5-q43r-ccv4","labels":["CVE-2017-18875","GHSA-9rr5-q43r-ccv4"],"created_at":"2026-04-26 03:02:13.691605+00:00","updated_at":"2026-04-26 03:02:13.691605+00:00"},{"id":5954,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.0.5-rc1+incompatible","fixed_version":"4.1.0+incompatible","bug_id":"osv:GO-2025-4185","title":"Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes team invite IDs through API endpoints in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jwfv-5hwq-f97r","labels":["CVE-2017-18902","GHSA-jwfv-5hwq-f97r"],"created_at":"2026-04-26 03:02:13.688740+00:00","updated_at":"2026-04-26 03:02:13.688740+00:00"},{"id":5953,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.5.0-rc1+incompatible","fixed_version":"4.5.0+incompatible","bug_id":"osv:GO-2025-4184","title":"Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jc6w-8r7f-vmp5","labels":["CVE-2017-18871","GHSA-jc6w-8r7f-vmp5"],"created_at":"2026-04-26 03:02:13.685909+00:00","updated_at":"2026-04-26 03:02:13.685909+00:00"},{"id":5952,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2025-4183","title":"CVE-2017-18870 in github.com/mattermost/mattermost-server","description":"CVE-2017-18870 in github.com/mattermost/mattermost-server","severity":"medium","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18870","labels":["CVE-2017-18870","GHSA-9j9j-mm2r-9rfm"],"created_at":"2026-04-26 03:02:13.683089+00:00","updated_at":"2026-04-26 03:02:13.683089+00:00"},{"id":5951,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.5+incompatible","bug_id":"osv:GO-2025-4178","title":"Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost","description":"Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-58w6-w55x-6wq8","labels":["CVE-2025-13870","GHSA-58w6-w55x-6wq8"],"created_at":"2026-04-26 03:02:13.680319+00:00","updated_at":"2026-04-26 03:02:13.680319+00:00"},{"id":5950,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2025-4172","title":"Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost","description":"Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-p6gj-jc38-x2m7","labels":["CVE-2025-12756","GHSA-p6gj-jc38-x2m7"],"created_at":"2026-04-26 03:02:13.677437+00:00","updated_at":"2026-04-26 03:02:13.677437+00:00"},{"id":5949,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251022210333-acda1fb5dd46","bug_id":"osv:GO-2025-4170","title":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server","description":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mp6x-97xj-9x62","labels":["CVE-2025-12421","GHSA-mp6x-97xj-9x62"],"created_at":"2026-04-26 03:02:13.674650+00:00","updated_at":"2026-04-26 03:02:13.674650+00:00"},{"id":5948,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251015091448-abbf01b9db45","bug_id":"osv:GO-2025-4169","title":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server","description":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4g87-9x45-cx2h","labels":["CVE-2025-12559","GHSA-4g87-9x45-cx2h"],"created_at":"2026-04-26 03:02:13.671887+00:00","updated_at":"2026-04-26 03:02:13.671887+00:00"},{"id":5947,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251028000919-d3ed703dc833","bug_id":"osv:GO-2025-4168","title":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.4.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3x39-62h4-f8j6","labels":["CVE-2025-12419","GHSA-3x39-62h4-f8j6"],"created_at":"2026-04-26 03:02:13.669169+00:00","updated_at":"2026-04-26 03:02:13.669169+00:00"},{"id":5946,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.3.0-rc1+incompatible","fixed_version":"4.3.0+incompatible","bug_id":"osv:GO-2025-4148","title":"Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to Directory Traversal by System Admins in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v4.1.2-0.20171004201910-6be8113eb60, before v4.2.1-0.20171004194140-6d3cb2ce07fc.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8qg8-c7mw-6fj7","labels":["CVE-2017-18874","GHSA-8qg8-c7mw-6fj7"],"created_at":"2026-04-26 03:02:13.666444+00:00","updated_at":"2026-04-26 03:02:13.666444+00:00"},{"id":5945,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"5.1.0","bug_id":"osv:GO-2025-4146","title":"Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5mh6-p63g-3mv5","labels":["CVE-2018-21258","GHSA-5mh6-p63g-3mv5"],"created_at":"2026-04-26 03:02:13.663675+00:00","updated_at":"2026-04-26 03:02:13.663675+00:00"},{"id":5944,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.4+incompatible","bug_id":"osv:GO-2025-4133","title":"Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server","description":"Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250905150616-ba86dfc5876b6.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9hh7-6558-qfp2","labels":["CVE-2025-55074","GHSA-9hh7-6558-qfp2"],"created_at":"2026-04-26 03:02:13.660889+00:00","updated_at":"2026-04-26 03:02:13.660889+00:00"},{"id":5943,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"11.0.0-alpha.1+incompatible","bug_id":"osv:GO-2025-4131","title":"Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server","description":"Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x3hx-ch7p-8xgg","labels":["CVE-2025-41436","GHSA-x3hx-ch7p-8xgg"],"created_at":"2026-04-26 03:02:13.658068+00:00","updated_at":"2026-04-26 03:02:13.658068+00:00"},{"id":5942,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.12.0+incompatible","fixed_version":"10.12.1+incompatible","bug_id":"osv:GO-2025-4130","title":"Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server","description":"Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mqp8-pgg5-7x7m","labels":["CVE-2025-11794","GHSA-mqp8-pgg5-7x7m"],"created_at":"2026-04-26 03:02:13.655290+00:00","updated_at":"2026-04-26 03:02:13.655290+00:00"},{"id":5941,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.12.0+incompatible","fixed_version":"10.12.1+incompatible","bug_id":"osv:GO-2025-4129","title":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server","description":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-ff85-qw3h-g9vp","labels":["CVE-2025-55073","GHSA-ff85-qw3h-g9vp"],"created_at":"2026-04-26 03:02:13.652521+00:00","updated_at":"2026-04-26 03:02:13.652521+00:00"},{"id":5940,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"11.1.0+incompatible","bug_id":"osv:GO-2025-4128","title":"Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server","description":"Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xpg8-8xpv-948p","labels":["CVE-2025-55070","GHSA-xpg8-8xpv-948p"],"created_at":"2026-04-26 03:02:13.649700+00:00","updated_at":"2026-04-26 03:02:13.649700+00:00"},{"id":5939,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250815165020-c8d66301415d","bug_id":"osv:GO-2025-4126","title":"Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost","description":"Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/v5 before v5.3.2-0.20250815165020-c8d66301415d; github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20250815165020-c8d66301415d.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j6gg-r5jc-47cm","labels":["CVE-2025-11776","GHSA-j6gg-r5jc-47cm"],"created_at":"2026-04-26 03:02:13.646883+00:00","updated_at":"2026-04-26 03:02:13.646883+00:00"},{"id":5938,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.4+incompatible","bug_id":"osv:GO-2025-4122","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mqcj-8c2g-h97q","labels":["CVE-2025-11777","GHSA-mqcj-8c2g-h97q"],"created_at":"2026-04-26 03:02:13.643920+00:00","updated_at":"2026-04-26 03:02:13.643920+00:00"},{"id":5937,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.4.0-rc1+incompatible","fixed_version":"4.4.3+incompatible","bug_id":"osv:GO-2025-4075","title":"Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server","description":"Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hgrp-fgm8-56g8","labels":["CVE-2017-18872","GHSA-hgrp-fgm8-56g8"],"created_at":"2026-04-26 03:02:13.641126+00:00","updated_at":"2026-04-26 03:02:13.641126+00:00"},{"id":5936,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.1.0+incompatible","bug_id":"osv:GO-2025-4066","title":"Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server","description":"Mattermost Server allows XSS via CSRF in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vw57-55f8-c73q","labels":["CVE-2016-11084","GHSA-vw57-55f8-c73q"],"created_at":"2026-04-26 03:02:13.638301+00:00","updated_at":"2026-04-26 03:02:13.638301+00:00"},{"id":5935,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.2.0+incompatible","bug_id":"osv:GO-2025-4065","title":"Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server","description":"Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rm24-25xm-9454","labels":["CVE-2016-11083","GHSA-rm24-25xm-9454"],"created_at":"2026-04-26 03:02:13.635490+00:00","updated_at":"2026-04-26 03:02:13.635490+00:00"},{"id":5934,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.2.0+incompatible","bug_id":"osv:GO-2025-4064","title":"Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS through crafted links in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-m78r-2x6w-qqjp","labels":["CVE-2016-11082","GHSA-m78r-2x6w-qqjp"],"created_at":"2026-04-26 03:02:13.632642+00:00","updated_at":"2026-04-26 03:02:13.632642+00:00"},{"id":5933,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4063","title":"Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes account details to any Team Administrator in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-g3f3-p9rc-775p","labels":["CVE-2016-11080","GHSA-g3f3-p9rc-775p"],"created_at":"2026-04-26 03:02:13.629870+00:00","updated_at":"2026-04-26 03:02:13.629870+00:00"},{"id":5932,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.2.0+incompatible","bug_id":"osv:GO-2025-4062","title":"Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes information stored by a web browser in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5q37-9874-qxcw","labels":["CVE-2016-11081","GHSA-5q37-9874-qxcw"],"created_at":"2026-04-26 03:02:13.627051+00:00","updated_at":"2026-04-26 03:02:13.627051+00:00"},{"id":5931,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2025-4061","title":"Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes sensitive information about team URLs via an API in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v2.0.1-0.20160310160916-26ad6d2c7696.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-q3g9-hgrx-hwhx","labels":["CVE-2016-11075","GHSA-q3g9-hgrx-hwhx"],"created_at":"2026-04-26 03:02:13.624289+00:00","updated_at":"2026-04-26 03:02:13.624289+00:00"},{"id":5930,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4060","title":"Mattermost Server allows System Admin to modify LDAP account names and email addresses in github.com/mattermost/mattermost-server","description":"Mattermost Server allows System Admin to modify LDAP account names and email addresses in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mj8v-773w-5qhj","labels":["CVE-2016-11077","GHSA-mj8v-773w-5qhj"],"created_at":"2026-04-26 03:02:13.621559+00:00","updated_at":"2026-04-26 03:02:13.621559+00:00"},{"id":5929,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4059","title":"Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server","description":"Mattermost Server: Insufficient Password-Reset Link Invalidation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j26g-95ph-2mwv","labels":["CVE-2016-11074","GHSA-j26g-95ph-2mwv"],"created_at":"2026-04-26 03:02:13.618785+00:00","updated_at":"2026-04-26 03:02:13.618785+00:00"},{"id":5928,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.1.0+incompatible","bug_id":"osv:GO-2025-4058","title":"Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h3qg-w9j5-wh3m","labels":["CVE-2016-11071","GHSA-h3qg-w9j5-wh3m"],"created_at":"2026-04-26 03:02:13.615995+00:00","updated_at":"2026-04-26 03:02:13.615995+00:00"},{"id":5927,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4057","title":"Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server","description":"Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9w4v-9c99-hv7r","labels":["CVE-2016-11078","GHSA-9w4v-9c99-hv7r"],"created_at":"2026-04-26 03:02:13.613172+00:00","updated_at":"2026-04-26 03:02:13.613172+00:00"},{"id":5926,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4056","title":"Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS via a Legal or Support setting in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9jrx-fgrm-96qh","labels":["CVE-2016-11073","GHSA-9jrx-fgrm-96qh"],"created_at":"2026-04-26 03:02:13.610384+00:00","updated_at":"2026-04-26 03:02:13.610384+00:00"},{"id":5925,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.2+incompatible","bug_id":"osv:GO-2025-4055","title":"Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server","description":"Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-43m6-wvc8-2m7j","labels":["CVE-2016-11072","GHSA-43m6-wvc8-2m7j"],"created_at":"2026-04-26 03:02:13.607615+00:00","updated_at":"2026-04-26 03:02:13.607615+00:00"},{"id":5924,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4054","title":"Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server","description":"Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-379p-37xc-q963","labels":["CVE-2016-11076","GHSA-379p-37xc-q963"],"created_at":"2026-04-26 03:02:13.604849+00:00","updated_at":"2026-04-26 03:02:13.604849+00:00"},{"id":5923,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0+incompatible","bug_id":"osv:GO-2025-4053","title":"Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server","description":"Mattermost Server allows XSS via redirect URL in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2j9c-76pp-xc5q","labels":["CVE-2016-11079","GHSA-2j9c-76pp-xc5q"],"created_at":"2026-04-26 03:02:13.602087+00:00","updated_at":"2026-04-26 03:02:13.602087+00:00"},{"id":5922,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.2.0+incompatible","bug_id":"osv:GO-2025-4051","title":"Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server","description":"Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qrf6-h5fc-7m96","labels":["CVE-2016-11069","GHSA-qrf6-h5fc-7m96"],"created_at":"2026-04-26 03:02:13.599307+00:00","updated_at":"2026-04-26 03:02:13.599307+00:00"},{"id":5921,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.1.0+incompatible","bug_id":"osv:GO-2025-4050","title":"Mattermost Server is vulnerable to XSS through customizable theme color-code values in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to XSS through customizable theme color-code values in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h8qw-xqm9-q66j","labels":["CVE-2016-11070","GHSA-h8qw-xqm9-q66j"],"created_at":"2026-04-26 03:02:13.596471+00:00","updated_at":"2026-04-26 03:02:13.596471+00:00"},{"id":5920,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.2.0+incompatible","bug_id":"osv:GO-2025-4048","title":"Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to Code Injection through its LDAP fields in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7vmw-6c7h-rrrv","labels":["CVE-2016-11068","GHSA-7vmw-6c7h-rrrv"],"created_at":"2026-04-26 03:02:13.593720+00:00","updated_at":"2026-04-26 03:02:13.593720+00:00"},{"id":5919,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2025-4047","title":"Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server","description":"Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v3.1.1.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-r93j-3mmp-px57","labels":["CVE-2016-11066","GHSA-r93j-3mmp-px57"],"created_at":"2026-04-26 03:02:13.590855+00:00","updated_at":"2026-04-26 03:02:13.590855+00:00"},{"id":5918,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.2.0+incompatible","bug_id":"osv:GO-2025-4046","title":"Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to Uncontrolled Resource Consumption in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-ffcc-qr2v-3qmv","labels":["CVE-2016-11067","GHSA-ffcc-qr2v-3qmv"],"created_at":"2026-04-26 03:02:13.585312+00:00","updated_at":"2026-04-26 03:02:13.585312+00:00"},{"id":5917,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.5.1+incompatible","bug_id":"osv:GO-2025-4045","title":"Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to Cross-site Scripting through file preview feature in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cffj-7w5c-jqjh","labels":["CVE-2016-11063","GHSA-cffj-7w5c-jqjh"],"created_at":"2026-04-26 03:02:13.582435+00:00","updated_at":"2026-04-26 03:02:13.582435+00:00"},{"id":5916,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.3+incompatible","bug_id":"osv:GO-2025-4036","title":"Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xr3w-rmvj-f6m7","labels":["CVE-2025-54499","GHSA-xr3w-rmvj-f6m7"],"created_at":"2026-04-26 03:02:13.579657+00:00","updated_at":"2026-04-26 03:02:13.579657+00:00"},{"id":5915,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.2+incompatible","bug_id":"osv:GO-2025-4035","title":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250815100400-2d5cdc6e217e.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r6qj-894f-5hr2","labels":["CVE-2025-58075","GHSA-r6qj-894f-5hr2"],"created_at":"2026-04-26 03:02:13.576835+00:00","updated_at":"2026-04-26 03:02:13.576835+00:00"},{"id":5914,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.2+incompatible","bug_id":"osv:GO-2025-4032","title":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6q7m-p8cc-998r","labels":["CVE-2025-58073","GHSA-6q7m-p8cc-998r"],"created_at":"2026-04-26 03:02:13.573948+00:00","updated_at":"2026-04-26 03:02:13.573948+00:00"},{"id":5913,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2025-4031","title":"Guest user can discover active public channels in github.com/mattermost/mattermost-server","description":"Guest user can discover active public channels in github.com/mattermost/mattermost-server","severity":"medium","status":"open","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-41443","labels":["CVE-2025-41443","GHSA-7cr3-38jm-6p45"],"created_at":"2026-04-26 03:02:13.571172+00:00","updated_at":"2026-04-26 03:02:13.571172+00:00"},{"id":5912,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.3+incompatible","bug_id":"osv:GO-2025-4030","title":"Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-424h-xj87-m937","labels":["CVE-2025-10545","GHSA-424h-xj87-m937"],"created_at":"2026-04-26 03:02:13.568412+00:00","updated_at":"2026-04-26 03:02:13.568412+00:00"},{"id":5911,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0+incompatible","fixed_version":"10.11.3+incompatible","bug_id":"osv:GO-2025-4029","title":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250822083415-01b95392a450.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3q4q-wqm6-hvf3","labels":["CVE-2025-41410","GHSA-3q4q-wqm6-hvf3"],"created_at":"2026-04-26 03:02:13.565673+00:00","updated_at":"2026-04-26 03:02:13.565673+00:00"},{"id":5910,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250716054606-3f3e3becfe1d","bug_id":"osv:GO-2025-3978","title":"Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards","description":"Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-f72g-52v7-mg3p","labels":["CVE-2025-9081","GHSA-f72g-52v7-mg3p"],"created_at":"2026-04-26 03:02:13.562854+00:00","updated_at":"2026-04-26 03:02:13.562854+00:00"},{"id":5909,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3977","title":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qx3f-6vq3-8j8m","labels":["CVE-2025-9079","GHSA-qx3f-6vq3-8j8m"],"created_at":"2026-04-26 03:02:13.560020+00:00","updated_at":"2026-04-26 03:02:13.560020+00:00"},{"id":5908,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.10+incompatible","bug_id":"osv:GO-2025-3960","title":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-202508080704-39bd251fe4f600.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hm95-jx66-g2gh","labels":["CVE-2025-9084","GHSA-hm95-jx66-g2gh"],"created_at":"2026-04-26 03:02:13.557257+00:00","updated_at":"2026-04-26 03:02:13.557257+00:00"},{"id":5907,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3959","title":"Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server","description":"Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9p92-x77w-9fw2","labels":["CVE-2025-9078","GHSA-9p92-x77w-9fw2"],"created_at":"2026-04-26 03:02:13.554381+00:00","updated_at":"2026-04-26 03:02:13.554381+00:00"},{"id":5906,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3958","title":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-69j8-prx2-vx98","labels":["CVE-2025-9072","GHSA-69j8-prx2-vx98"],"created_at":"2026-04-26 03:02:13.551398+00:00","updated_at":"2026-04-26 03:02:13.551398+00:00"},{"id":5905,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3950","title":"Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250729073403-517ae758cd02.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3vcm-c42p-3hhf","labels":["CVE-2025-9076","GHSA-3vcm-c42p-3hhf"],"created_at":"2026-04-26 03:02:13.548731+00:00","updated_at":"2026-04-26 03:02:13.548731+00:00"},{"id":5904,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.1+incompatible","bug_id":"osv:GO-2025-3911","title":"Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server","description":"Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h469-4fcf-p23h","labels":["CVE-2025-8402","GHSA-h469-4fcf-p23h"],"created_at":"2026-04-26 03:02:13.545889+00:00","updated_at":"2026-04-26 03:02:13.545889+00:00"},{"id":5903,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.1+incompatible","bug_id":"osv:GO-2025-3910","title":"Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-pj6f-rc94-gw53","labels":["CVE-2025-6465","GHSA-pj6f-rc94-gw53"],"created_at":"2026-04-26 03:02:13.543111+00:00","updated_at":"2026-04-26 03:02:13.543111+00:00"},{"id":5902,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.9.0+incompatible","fixed_version":"10.9.3+incompatible","bug_id":"osv:GO-2025-3907","title":"Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x67c-v8jr-p29r","labels":["CVE-2025-8023","GHSA-x67c-v8jr-p29r"],"created_at":"2026-04-26 03:02:13.540337+00:00","updated_at":"2026-04-26 03:02:13.540337+00:00"},{"id":5901,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.10+incompatible","bug_id":"osv:GO-2025-3906","title":"Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server","description":"Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vqwh-5jhh-vc9p","labels":["CVE-2025-47700","GHSA-vqwh-5jhh-vc9p"],"created_at":"2026-04-26 03:02:13.537505+00:00","updated_at":"2026-04-26 03:02:13.537505+00:00"},{"id":5900,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.9.0+incompatible","fixed_version":"10.9.3+incompatible","bug_id":"osv:GO-2025-3905","title":"Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server","description":"Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qj47-w9f2-qg44","labels":["CVE-2025-47870","GHSA-qj47-w9f2-qg44"],"created_at":"2026-04-26 03:02:13.534738+00:00","updated_at":"2026-04-26 03:02:13.534738+00:00"},{"id":5899,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.10.0+incompatible","fixed_version":"10.10.1+incompatible","bug_id":"osv:GO-2025-3904","title":"Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q453-638c-h4mr","labels":["CVE-2025-49222","GHSA-q453-638c-h4mr"],"created_at":"2026-04-26 03:02:13.531914+00:00","updated_at":"2026-04-26 03:02:13.531914+00:00"},{"id":5898,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.9+incompatible","bug_id":"osv:GO-2025-3903","title":"Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server","description":"Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-pwvr-grqg-7vp2","labels":["CVE-2025-49810","GHSA-pwvr-grqg-7vp2"],"created_at":"2026-04-26 03:02:13.529085+00:00","updated_at":"2026-04-26 03:02:13.529085+00:00"},{"id":5897,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.9+incompatible","bug_id":"osv:GO-2025-3902","title":"Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4276-cm8c-788h","labels":["CVE-2025-53971","GHSA-4276-cm8c-788h"],"created_at":"2026-04-26 03:02:13.526262+00:00","updated_at":"2026-04-26 03:02:13.526262+00:00"},{"id":5896,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.9.0+incompatible","fixed_version":"10.9.2+incompatible","bug_id":"osv:GO-2025-3901","title":"Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250619095651-9dd0b3943e55.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-gq3r-5833-5532","labels":["CVE-2025-36530","GHSA-gq3r-5833-5532"],"created_at":"2026-04-26 03:02:13.523493+00:00","updated_at":"2026-04-26 03:02:13.523493+00:00"},{"id":5895,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.2+incompatible","bug_id":"osv:GO-2025-3820","title":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wvw2-3jh4-4c39","labels":["CVE-2025-6233","GHSA-wvw2-3jh4-4c39"],"created_at":"2026-04-26 03:02:13.520779+00:00","updated_at":"2026-04-26 03:02:13.520779+00:00"},{"id":5894,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.2+incompatible","bug_id":"osv:GO-2025-3819","title":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","description":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7h34-9chr-58qh","labels":["CVE-2025-6226","GHSA-7h34-9chr-58qh"],"created_at":"2026-04-26 03:02:13.518055+00:00","updated_at":"2026-04-26 03:02:13.518055+00:00"},{"id":5893,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.8+incompatible","bug_id":"osv:GO-2025-3818","title":"Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server","description":"Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4fwj-8595-wp25","labels":["CVE-2025-6227","GHSA-4fwj-8595-wp25"],"created_at":"2026-04-26 03:02:13.515310+00:00","updated_at":"2026-04-26 03:02:13.515310+00:00"},{"id":5892,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3797","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wgvp-jj4w-88hf","labels":["CVE-2025-47871","GHSA-wgvp-jj4w-88hf"],"created_at":"2026-04-26 03:02:13.512540+00:00","updated_at":"2026-04-26 03:02:13.512540+00:00"},{"id":5891,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3796","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v8fr-vxmw-6mf6","labels":["CVE-2025-46702","GHSA-v8fr-vxmw-6mf6"],"created_at":"2026-04-26 03:02:13.509767+00:00","updated_at":"2026-04-26 03:02:13.509767+00:00"},{"id":5890,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3772","title":"Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server","description":"Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qwwm-c582-82rx","labels":["CVE-2025-3227","GHSA-qwwm-c582-82rx"],"created_at":"2026-04-26 03:02:13.506736+00:00","updated_at":"2026-04-26 03:02:13.506736+00:00"},{"id":5889,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3771","title":"Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server","description":"Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4578-6gjh-f2jm","labels":["CVE-2025-3228","GHSA-4578-6gjh-f2jm"],"created_at":"2026-04-26 03:02:13.503968+00:00","updated_at":"2026-04-26 03:02:13.503968+00:00"},{"id":5888,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3769","title":"Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server","description":"Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qh58-9v3j-wcjc","labels":["CVE-2025-4981","GHSA-qh58-9v3j-wcjc"],"created_at":"2026-04-26 03:02:13.501143+00:00","updated_at":"2026-04-26 03:02:13.501143+00:00"},{"id":5887,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.5+incompatible","bug_id":"osv:GO-2025-3757","title":"Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server","description":"Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jwhw-xf5v-qgxc","labels":["CVE-2025-4128","GHSA-jwhw-xf5v-qgxc"],"created_at":"2026-04-26 03:02:13.498278+00:00","updated_at":"2026-04-26 03:02:13.498278+00:00"},{"id":5886,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.7.0+incompatible","fixed_version":"10.7.2+incompatible","bug_id":"osv:GO-2025-3756","title":"Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server","description":"Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4r67-4x4p-fprg","labels":["CVE-2025-4573","GHSA-4r67-4x4p-fprg"],"created_at":"2026-04-26 03:02:13.495474+00:00","updated_at":"2026-04-26 03:02:13.495474+00:00"},{"id":5885,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.7.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3731","title":"Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mc2f-jgj6-6cp3","labels":["CVE-2025-3230","GHSA-mc2f-jgj6-6cp3"],"created_at":"2026-04-26 03:02:13.492585+00:00","updated_at":"2026-04-26 03:02:13.492585+00:00"},{"id":5884,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.6.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3730","title":"Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hc6v-386m-93pq","labels":["CVE-2025-1792","GHSA-hc6v-386m-93pq"],"created_at":"2026-04-26 03:02:13.489815+00:00","updated_at":"2026-04-26 03:02:13.489815+00:00"},{"id":5883,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.7.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3729","title":"Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server","description":"Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8cgx-9ccj-3gwr","labels":["CVE-2025-2571","GHSA-8cgx-9ccj-3gwr"],"created_at":"2026-04-26 03:02:13.487038+00:00","updated_at":"2026-04-26 03:02:13.487038+00:00"},{"id":5882,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.6.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3728","title":"Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-86jg-35xj-3vv5","labels":["CVE-2025-3611","GHSA-86jg-35xj-3vv5"],"created_at":"2026-04-26 03:02:13.484213+00:00","updated_at":"2026-04-26 03:02:13.484213+00:00"},{"id":5881,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.7.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3724","title":"Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server","description":"Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4mmr-2w8p-whcr","labels":["CVE-2025-3913","GHSA-4mmr-2w8p-whcr"],"created_at":"2026-04-26 03:02:13.481391+00:00","updated_at":"2026-04-26 03:02:13.481391+00:00"},{"id":5880,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.3+incompatible","bug_id":"osv:GO-2025-3694","title":"Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fpff-wj6m-grvr","labels":["CVE-2025-2570","GHSA-fpff-wj6m-grvr"],"created_at":"2026-04-26 03:02:13.478563+00:00","updated_at":"2026-04-26 03:02:13.478563+00:00"},{"id":5879,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.6.0+incompatible","fixed_version":"10.6.2+incompatible","bug_id":"osv:GO-2025-3693","title":"Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r7r2-m3vr-c8qc","labels":["CVE-2025-3446","GHSA-r7r2-m3vr-c8qc"],"created_at":"2026-04-26 03:02:13.475841+00:00","updated_at":"2026-04-26 03:02:13.475841+00:00"},{"id":5878,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.6.0+incompatible","fixed_version":"10.6.2+incompatible","bug_id":"osv:GO-2025-3692","title":"Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qgwx-rffp-6cx9","labels":["CVE-2025-31947","GHSA-qgwx-rffp-6cx9"],"created_at":"2026-04-26 03:02:13.470396+00:00","updated_at":"2026-04-26 03:02:13.470396+00:00"},{"id":5877,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.3+incompatible","bug_id":"osv:GO-2025-3691","title":"Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h356-3mfw-x368","labels":["CVE-2025-2527","GHSA-h356-3mfw-x368"],"created_at":"2026-04-26 03:02:13.467524+00:00","updated_at":"2026-04-26 03:02:13.467524+00:00"},{"id":5876,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"1.41.0","bug_id":"osv:GO-2025-3644","title":"Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks","description":"Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fr22-5377-f3p7","labels":["CVE-2025-41423","GHSA-fr22-5377-f3p7"],"created_at":"2026-04-26 03:02:13.464735+00:00","updated_at":"2026-04-26 03:02:13.464735+00:00"},{"id":5875,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"1.41.0","bug_id":"osv:GO-2025-3643","title":"Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks","description":"Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-689c-xq7x-xjwf","labels":["CVE-2025-35965","GHSA-689c-xq7x-xjwf"],"created_at":"2026-04-26 03:02:13.461913+00:00","updated_at":"2026-04-26 03:02:13.461913+00:00"},{"id":5874,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"1.41.0","bug_id":"osv:GO-2025-3642","title":"Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks","description":"Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3g36-gf7c-75qw","labels":["CVE-2025-41395","GHSA-3g36-gf7c-75qw"],"created_at":"2026-04-26 03:02:13.456306+00:00","updated_at":"2026-04-26 03:02:13.456306+00:00"},{"id":5873,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3623","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mj2p-v2c2-vh4v","labels":["CVE-2025-2564","GHSA-mj2p-v2c2-vh4v"],"created_at":"2026-04-26 03:02:13.453431+00:00","updated_at":"2026-04-26 03:02:13.453431+00:00"},{"id":5872,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3622","title":"Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server","description":"Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9h6j-4ffx-cm84","labels":["CVE-2025-31363","GHSA-9h6j-4ffx-cm84"],"created_at":"2026-04-26 03:02:13.450652+00:00","updated_at":"2026-04-26 03:02:13.450652+00:00"},{"id":5871,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3621","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j639-m367-75cf","labels":["CVE-2025-24839","GHSA-j639-m367-75cf"],"created_at":"2026-04-26 03:02:13.447876+00:00","updated_at":"2026-04-26 03:02:13.447876+00:00"},{"id":5870,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3620","title":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","description":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j5jw-m2ph-3jjf","labels":["CVE-2025-27538","GHSA-j5jw-m2ph-3jjf"],"created_at":"2026-04-26 03:02:13.445058+00:00","updated_at":"2026-04-26 03:02:13.445058+00:00"},{"id":5869,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3619","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h4rr-f37j-4hh7","labels":["CVE-2025-27571","GHSA-h4rr-f37j-4hh7"],"created_at":"2026-04-26 03:02:13.442335+00:00","updated_at":"2026-04-26 03:02:13.442335+00:00"},{"id":5868,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3618","title":"Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams","description":"Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-plugin-msteams before v2.1.0.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2j87-p623-8cc2","labels":["CVE-2025-27936","GHSA-2j87-p623-8cc2"],"created_at":"2026-04-26 03:02:13.439539+00:00","updated_at":"2026-04-26 03:02:13.439539+00:00"},{"id":5867,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3611","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wwhj-pw6h-f8hw","labels":["CVE-2025-2424","GHSA-wwhj-pw6h-f8hw"],"created_at":"2026-04-26 03:02:13.436753+00:00","updated_at":"2026-04-26 03:02:13.436753+00:00"},{"id":5866,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3610","title":"Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server","description":"Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6rqh-8465-2xcw","labels":["CVE-2025-2475","GHSA-6rqh-8465-2xcw"],"created_at":"2026-04-26 03:02:13.433926+00:00","updated_at":"2026-04-26 03:02:13.433926+00:00"},{"id":5865,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3609","title":"Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-322v-vh2g-qvpv","labels":["CVE-2025-32093","GHSA-322v-vh2g-qvpv"],"created_at":"2026-04-26 03:02:13.431108+00:00","updated_at":"2026-04-26 03:02:13.431108+00:00"},{"id":5864,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.11.0+incompatible","fixed_version":"9.11.9+incompatible","bug_id":"osv:GO-2025-3604","title":"Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xfq9-hh5x-xfq9","labels":["CVE-2025-24866","GHSA-xfq9-hh5x-xfq9"],"created_at":"2026-04-26 03:02:13.428298+00:00","updated_at":"2026-04-26 03:02:13.428298+00:00"},{"id":5863,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.4.0+incompatible","fixed_version":"10.4.3+incompatible","bug_id":"osv:GO-2025-3556","title":"Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server","description":"Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h5v9-xw2g-7hrq","labels":["BIT-mattermost-2025-27933","CVE-2025-27933","GHSA-h5v9-xw2g-7hrq"],"created_at":"2026-04-26 03:02:13.425528+00:00","updated_at":"2026-04-26 03:02:13.425528+00:00"},{"id":5862,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.11.0+incompatible","fixed_version":"9.11.9+incompatible","bug_id":"osv:GO-2025-3555","title":"Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server","description":"Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cw7q-5cgc-h3h9","labels":["BIT-mattermost-2025-27715","CVE-2025-27715","GHSA-cw7q-5cgc-h3h9"],"created_at":"2026-04-26 03:02:13.422714+00:00","updated_at":"2026-04-26 03:02:13.422714+00:00"},{"id":5861,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3552","title":"Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rp74-x43m-cpw3","labels":["BIT-mattermost-2025-24920","CVE-2025-24920","GHSA-rp74-x43m-cpw3"],"created_at":"2026-04-26 03:02:13.419952+00:00","updated_at":"2026-04-26 03:02:13.419952+00:00"},{"id":5860,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3551","title":"Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-72qv-j8vr-xvfv","labels":["BIT-mattermost-2025-25068","CVE-2025-25068","GHSA-72qv-j8vr-xvfv"],"created_at":"2026-04-26 03:02:13.417192+00:00","updated_at":"2026-04-26 03:02:13.417192+00:00"},{"id":5859,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3550","title":"Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4v65-xqcj-wpgg","labels":["BIT-mattermost-2025-25274","CVE-2025-25274","GHSA-4v65-xqcj-wpgg"],"created_at":"2026-04-26 03:02:13.414219+00:00","updated_at":"2026-04-26 03:02:13.414219+00:00"},{"id":5858,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3549","title":"Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3gpx-p63p-pr5r","labels":["BIT-mattermost-2025-30179","CVE-2025-30179","GHSA-3gpx-p63p-pr5r"],"created_at":"2026-04-26 03:02:13.411382+00:00","updated_at":"2026-04-26 03:02:13.411382+00:00"},{"id":5857,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.11.0+incompatible","fixed_version":"9.11.9+incompatible","bug_id":"osv:GO-2025-3534","title":"Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fqrq-xmxj-v47x","labels":["CVE-2025-1472","GHSA-fqrq-xmxj-v47x"],"created_at":"2026-04-26 03:02:13.408560+00:00","updated_at":"2026-04-26 03:02:13.408560+00:00"},{"id":5856,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3483","title":"Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server","description":"Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v469-7wp6-7cvp","labels":["CVE-2025-20051","GHSA-v469-7wp6-7cvp"],"created_at":"2026-04-26 03:02:13.405684+00:00","updated_at":"2026-04-26 03:02:13.405684+00:00"},{"id":5855,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3482","title":"Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server","description":"Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rhvr-6w8c-6v7w","labels":["CVE-2025-1412","GHSA-rhvr-6w8c-6v7w"],"created_at":"2026-04-26 03:02:13.402913+00:00","updated_at":"2026-04-26 03:02:13.402913+00:00"},{"id":5854,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3481","title":"Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server","description":"Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q8p2-2hwc-jw64","labels":["CVE-2025-24526","GHSA-q8p2-2hwc-jw64"],"created_at":"2026-04-26 03:02:13.400110+00:00","updated_at":"2026-04-26 03:02:13.400110+00:00"},{"id":5853,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3480","title":"Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server","description":"Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5fwx-p6xh-vjrh","labels":["CVE-2025-25279","GHSA-5fwx-p6xh-vjrh"],"created_at":"2026-04-26 03:02:13.397285+00:00","updated_at":"2026-04-26 03:02:13.397285+00:00"},{"id":5852,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3407","title":"Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server","description":"Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-w6xh-c82w-h997","labels":["CVE-2025-20621","GHSA-w6xh-c82w-h997"],"created_at":"2026-04-26 03:02:13.394378+00:00","updated_at":"2026-04-26 03:02:13.394378+00:00"},{"id":5851,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3394","title":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-45v9-w9fh-33j6","labels":["CVE-2025-20088","GHSA-45v9-w9fh-33j6"],"created_at":"2026-04-26 03:02:13.391522+00:00","updated_at":"2026-04-26 03:02:13.391522+00:00"},{"id":5850,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3393","title":"Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8j3q-gc9x-7972","labels":["CVE-2025-21088","GHSA-8j3q-gc9x-7972"],"created_at":"2026-04-26 03:02:13.388599+00:00","updated_at":"2026-04-26 03:02:13.388599+00:00"},{"id":5849,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3392","title":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5m7j-6gc4-ff5g","labels":["CVE-2025-20086","GHSA-5m7j-6gc4-ff5g"],"created_at":"2026-04-26 03:02:13.383243+00:00","updated_at":"2026-04-26 03:02:13.383243+00:00"},{"id":5848,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"10.3.0+incompatible","bug_id":"osv:GO-2025-3380","title":"Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server","description":"Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7rgp-4j56-fm79","labels":["CVE-2025-22445","GHSA-7rgp-4j56-fm79"],"created_at":"2026-04-26 03:02:13.377630+00:00","updated_at":"2026-04-26 03:02:13.377630+00:00"},{"id":5847,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3379","title":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v9.11.0 before v9.11.16.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2549-xh72-qrpm","labels":["CVE-2025-20033","GHSA-2549-xh72-qrpm"],"created_at":"2026-04-26 03:02:13.374841+00:00","updated_at":"2026-04-26 03:02:13.374841+00:00"},{"id":5846,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2025-3377","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v9.11.16.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-q8fg-cp3q-5jwm","labels":["CVE-2025-22449","GHSA-q8fg-cp3q-5jwm"],"created_at":"2026-04-26 03:02:13.372007+00:00","updated_at":"2026-04-26 03:02:13.372007+00:00"},{"id":5845,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.1.0+incompatible","fixed_version":"10.1.3+incompatible","bug_id":"osv:GO-2024-3340","title":"Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v647-h8jj-fw5r","labels":["CVE-2024-54682","GHSA-v647-h8jj-fw5r"],"created_at":"2026-04-26 03:02:13.369167+00:00","updated_at":"2026-04-26 03:02:13.369167+00:00"},{"id":5844,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.1.0+incompatible","fixed_version":"10.1.3+incompatible","bug_id":"osv:GO-2024-3338","title":"Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-826h-p4c3-477p","labels":["CVE-2024-48872","GHSA-826h-p4c3-477p"],"created_at":"2026-04-26 03:02:13.366437+00:00","updated_at":"2026-04-26 03:02:13.366437+00:00"},{"id":5843,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.1.0+incompatible","fixed_version":"10.1.3+incompatible","bug_id":"osv:GO-2024-3337","title":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-69pr-78gv-7c6h","labels":["CVE-2024-54083","GHSA-69pr-78gv-7c6h"],"created_at":"2026-04-26 03:02:13.363650+00:00","updated_at":"2026-04-26 03:02:13.363650+00:00"},{"id":5842,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20240209181221-674f549daf0e","bug_id":"osv:GO-2024-3334","title":"Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server","description":"Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qqc8-rv37-79q5","labels":["BIT-mattermost-2024-28053","CVE-2024-28053","GHSA-qqc8-rv37-79q5"],"created_at":"2026-04-26 03:02:13.360887+00:00","updated_at":"2026-04-26 03:02:13.360887+00:00"},{"id":5841,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20240926115259-20ed58906adc","bug_id":"osv:GO-2024-3235","title":"Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server","description":"Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50052","labels":["CVE-2024-50052","GHSA-g376-m3h3-mj4r"],"created_at":"2026-04-26 03:02:13.358151+00:00","updated_at":"2026-04-26 03:02:13.358151+00:00"},{"id":5840,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20240926115259-20ed58906adc","bug_id":"osv:GO-2024-3234","title":"Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-762v-rq7q-ff97","labels":["CVE-2024-47401","GHSA-762v-rq7q-ff97"],"created_at":"2026-04-26 03:02:13.355289+00:00","updated_at":"2026-04-26 03:02:13.355289+00:00"},{"id":5839,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20240926115259-20ed58906adc","bug_id":"osv:GO-2024-3233","title":"Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server","description":"Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-762g-9p7f-mrww","labels":["BIT-mattermost-2024-46872","CVE-2024-46872","GHSA-762g-9p7f-mrww"],"created_at":"2026-04-26 03:02:13.352459+00:00","updated_at":"2026-04-26 03:02:13.352459+00:00"},{"id":5838,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20240813135334-8f3a13122f55","bug_id":"osv:GO-2024-3232","title":"Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server","description":"Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6mvp-gh77-7vwh","labels":["CVE-2024-10241","GHSA-6mvp-gh77-7vwh"],"created_at":"2026-04-26 03:02:13.349626+00:00","updated_at":"2026-04-26 03:02:13.349626+00:00"},{"id":5837,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20240821220019-0d6b1070a26f","bug_id":"osv:GO-2024-3227","title":"Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server","description":"Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hm57-h27x-599c","labels":["CVE-2024-10214","GHSA-hm57-h27x-599c"],"created_at":"2026-04-26 03:02:13.346795+00:00","updated_at":"2026-04-26 03:02:13.346795+00:00"},{"id":5836,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20240806094731-69a8b3df0f9f","bug_id":"osv:GO-2024-3164","title":"Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server","description":"Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-59hf-mpf8-pqjh","labels":["BIT-mattermost-2024-47003","CVE-2024-47003","GHSA-59hf-mpf8-pqjh"],"created_at":"2026-04-26 03:02:13.341299+00:00","updated_at":"2026-04-26 03:02:13.341299+00:00"},{"id":5835,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3097","title":"Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hrf9-rm95-fpf3","labels":["CVE-2024-40886","GHSA-hrf9-rm95-fpf3"],"created_at":"2026-04-26 03:02:13.338525+00:00","updated_at":"2026-04-26 03:02:13.338525+00:00"},{"id":5834,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3096","title":"Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server","description":"Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-c6vp-jjgv-38wj","labels":["CVE-2024-39836","GHSA-c6vp-jjgv-38wj"],"created_at":"2026-04-26 03:02:13.335805+00:00","updated_at":"2026-04-26 03:02:13.335805+00:00"},{"id":5833,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3094","title":"Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server","description":"Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5263-pm2h-m7hw","labels":["CVE-2024-8071","GHSA-5263-pm2h-m7hw"],"created_at":"2026-04-26 03:02:13.333030+00:00","updated_at":"2026-04-26 03:02:13.333030+00:00"},{"id":5832,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3093","title":"Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server","description":"Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4ww8-fprq-cq34","labels":["CVE-2024-32939","GHSA-4ww8-fprq-cq34"],"created_at":"2026-04-26 03:02:13.330310+00:00","updated_at":"2026-04-26 03:02:13.330310+00:00"},{"id":5831,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3092","title":"Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server","description":"Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q22q-2rrf-m27p","labels":["CVE-2024-39777","GHSA-q22q-2rrf-m27p"],"created_at":"2026-04-26 03:02:13.327582+00:00","updated_at":"2026-04-26 03:02:13.327582+00:00"},{"id":5830,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3091","title":"Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server","description":"Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fxq9-6946-34q7","labels":["BIT-mattermost-2024-42497","CVE-2024-42497","GHSA-fxq9-6946-34q7"],"created_at":"2026-04-26 03:02:13.324779+00:00","updated_at":"2026-04-26 03:02:13.324779+00:00"},{"id":5829,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3090","title":"Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server","description":"Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3j95-8g47-fpwh","labels":["BIT-mattermost-2024-40884","CVE-2024-40884","GHSA-3j95-8g47-fpwh"],"created_at":"2026-04-26 03:02:13.321949+00:00","updated_at":"2026-04-26 03:02:13.321949+00:00"},{"id":5828,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3089","title":"Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server","description":"Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2jhx-w3vc-w59g","labels":["BIT-mattermost-2024-43780","CVE-2024-43780","GHSA-2jhx-w3vc-w59g"],"created_at":"2026-04-26 03:02:13.319120+00:00","updated_at":"2026-04-26 03:02:13.319120+00:00"},{"id":5827,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3032","title":"Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server","description":"Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vvpg-55p7-5h8w","labels":["BIT-mattermost-2024-39837","CVE-2024-39837","GHSA-vvpg-55p7-5h8w"],"created_at":"2026-04-26 03:02:13.316259+00:00","updated_at":"2026-04-26 03:02:13.316259+00:00"},{"id":5826,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3031","title":"Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server","description":"Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jr9x-3x7m-4j75","labels":["BIT-mattermost-2024-41162","CVE-2024-41162","GHSA-jr9x-3x7m-4j75"],"created_at":"2026-04-26 03:02:13.313529+00:00","updated_at":"2026-04-26 03:02:13.313529+00:00"},{"id":5825,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3030","title":"Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server","description":"Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jq3g-xqpx-37x3","labels":["CVE-2024-29977","GHSA-jq3g-xqpx-37x3"],"created_at":"2026-04-26 03:02:13.310758+00:00","updated_at":"2026-04-26 03:02:13.310758+00:00"},{"id":5824,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3028","title":"Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server","description":"Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cmc8-222c-vqp9","labels":["CVE-2024-39274","GHSA-cmc8-222c-vqp9"],"created_at":"2026-04-26 03:02:13.308019+00:00","updated_at":"2026-04-26 03:02:13.308019+00:00"},{"id":5823,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3025","title":"Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server","description":"Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-56mc-f9w7-2wxq","labels":["CVE-2024-36492","GHSA-56mc-f9w7-2wxq"],"created_at":"2026-04-26 03:02:13.305233+00:00","updated_at":"2026-04-26 03:02:13.305233+00:00"},{"id":5822,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3024","title":"Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server","description":"Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vg6q-84p8-qvqh","labels":["BIT-mattermost-2024-39839","CVE-2024-39839","GHSA-vg6q-84p8-qvqh"],"created_at":"2026-04-26 03:02:13.302370+00:00","updated_at":"2026-04-26 03:02:13.302370+00:00"},{"id":5821,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3023","title":"Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server","description":"Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vg67-chm7-8m3j","labels":["BIT-mattermost-2024-41144","CVE-2024-41144","GHSA-vg67-chm7-8m3j"],"created_at":"2026-04-26 03:02:13.299526+00:00","updated_at":"2026-04-26 03:02:13.299526+00:00"},{"id":5820,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3022","title":"Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server","description":"Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9fpw-c9x7-cv3j","labels":["BIT-mattermost-2024-41926","CVE-2024-41926","GHSA-9fpw-c9x7-cv3j"],"created_at":"2026-04-26 03:02:13.296755+00:00","updated_at":"2026-04-26 03:02:13.296755+00:00"},{"id":5819,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3020","title":"Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server","description":"Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-762m-4cx6-6mf4","labels":["CVE-2024-39832","GHSA-762m-4cx6-6mf4"],"created_at":"2026-04-26 03:02:13.294037+00:00","updated_at":"2026-04-26 03:02:13.294037+00:00"},{"id":5818,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1+incompatible","fixed_version":"9.6.1+incompatible","bug_id":"osv:GO-2024-2798","title":"Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server","description":"Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wj37-mpq9-xrcm","labels":["CVE-2024-4183","GHSA-wj37-mpq9-xrcm"],"created_at":"2026-04-26 03:02:13.291267+00:00","updated_at":"2026-04-26 03:02:13.291267+00:00"},{"id":5817,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1+incompatible","fixed_version":"9.6.1+incompatible","bug_id":"osv:GO-2024-2797","title":"Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server","description":"Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vx97-8q8q-qgq5","labels":["CVE-2024-32046","GHSA-vx97-8q8q-qgq5"],"created_at":"2026-04-26 03:02:13.288433+00:00","updated_at":"2026-04-26 03:02:13.288433+00:00"},{"id":5816,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1+incompatible","fixed_version":"9.6.1+incompatible","bug_id":"osv:GO-2024-2796","title":"Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server","description":"Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-p2wq-4ggp-45f3","labels":["CVE-2024-22091","GHSA-p2wq-4ggp-45f3"],"created_at":"2026-04-26 03:02:13.285667+00:00","updated_at":"2026-04-26 03:02:13.285667+00:00"},{"id":5815,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1+incompatible","fixed_version":"9.6.1+incompatible","bug_id":"osv:GO-2024-2795","title":"Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server","description":"Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8f99-g2pj-x8w3","labels":["CVE-2024-4182","GHSA-8f99-g2pj-x8w3"],"created_at":"2026-04-26 03:02:13.282873+00:00","updated_at":"2026-04-26 03:02:13.282873+00:00"},{"id":5814,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1+incompatible","fixed_version":"9.6.1+incompatible","bug_id":"osv:GO-2024-2794","title":"Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server","description":"Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5qx9-9ffj-5r8f","labels":["CVE-2024-4198","GHSA-5qx9-9ffj-5r8f"],"created_at":"2026-04-26 03:02:13.280043+00:00","updated_at":"2026-04-26 03:02:13.280043+00:00"},{"id":5813,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.5.0+incompatible","fixed_version":"9.5.3+incompatible","bug_id":"osv:GO-2024-2793","title":"Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server","description":"Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5fh7-7mw7-mmx5","labels":["CVE-2024-4195","GHSA-5fh7-7mw7-mmx5"],"created_at":"2026-04-26 03:02:13.277232+00:00","updated_at":"2026-04-26 03:02:13.277232+00:00"},{"id":5812,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2707","title":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server","description":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-xp9j-8p68-9q93","labels":["BIT-mattermost-2024-21848","CVE-2024-21848","GHSA-xp9j-8p68-9q93"],"created_at":"2026-04-26 03:02:13.274456+00:00","updated_at":"2026-04-26 03:02:13.274456+00:00"},{"id":5811,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.5.0+incompatible","fixed_version":"9.5.2+incompatible","bug_id":"osv:GO-2024-2706","title":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server","description":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-w67v-ph4x-f48q","labels":["BIT-mattermost-2024-29221","CVE-2024-29221","GHSA-w67v-ph4x-f48q"],"created_at":"2026-04-26 03:02:13.271692+00:00","updated_at":"2026-04-26 03:02:13.271692+00:00"},{"id":5810,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.5.0+incompatible","fixed_version":"9.5.2+incompatible","bug_id":"osv:GO-2024-2696","title":"Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server","description":"Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wp43-vprh-c3w5","labels":["BIT-mattermost-2024-2447","CVE-2024-2447","GHSA-wp43-vprh-c3w5"],"created_at":"2026-04-26 03:02:13.268958+00:00","updated_at":"2026-04-26 03:02:13.268958+00:00"},{"id":5809,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.5.0+incompatible","fixed_version":"9.5.2+incompatible","bug_id":"osv:GO-2024-2695","title":"Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server","description":"Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mcw6-3256-64gg","labels":["BIT-mattermost-2024-28949","CVE-2024-28949","GHSA-mcw6-3256-64gg"],"created_at":"2026-04-26 03:02:13.266148+00:00","updated_at":"2026-04-26 03:02:13.266148+00:00"},{"id":5808,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.0.0+incompatible","fixed_version":"9.4.0+incompatible","bug_id":"osv:GO-2024-2635","title":"Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server","description":"Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r4fm-g65h-cr54","labels":["BIT-mattermost-2024-1952","CVE-2024-1952","GHSA-r4fm-g65h-cr54"],"created_at":"2026-04-26 03:02:13.263354+00:00","updated_at":"2026-04-26 03:02:13.263354+00:00"},{"id":5807,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.0.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2595","title":"Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xgxj-j98c-59rv","labels":["CVE-2024-23488","GHSA-xgxj-j98c-59rv"],"created_at":"2026-04-26 03:02:13.260527+00:00","updated_at":"2026-04-26 03:02:13.260527+00:00"},{"id":5806,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.4.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2594","title":"Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server","description":"Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vm9m-57jr-4pxh","labels":["BIT-mattermost-2024-1953","CVE-2024-1953","GHSA-vm9m-57jr-4pxh"],"created_at":"2026-04-26 03:02:13.257711+00:00","updated_at":"2026-04-26 03:02:13.257711+00:00"},{"id":5805,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.4.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2593","title":"Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server","description":"Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-pfw6-5rx3-xh3c","labels":["CVE-2024-1888","GHSA-pfw6-5rx3-xh3c"],"created_at":"2026-04-26 03:02:13.254980+00:00","updated_at":"2026-04-26 03:02:13.254980+00:00"},{"id":5804,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.3.0+incompatible","fixed_version":"9.3.1+incompatible","bug_id":"osv:GO-2024-2592","title":"Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server","description":"Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hwjf-4667-gqwx","labels":["BIT-mattermost-2024-1942","CVE-2024-1942","GHSA-hwjf-4667-gqwx"],"created_at":"2026-04-26 03:02:13.252220+00:00","updated_at":"2026-04-26 03:02:13.252220+00:00"},{"id":5803,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.3.0+incompatible","fixed_version":"9.3.1+incompatible","bug_id":"osv:GO-2024-2591","title":"Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server","description":"Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fx48-xv6q-6gp3","labels":["CVE-2024-1887","GHSA-fx48-xv6q-6gp3"],"created_at":"2026-04-26 03:02:13.249496+00:00","updated_at":"2026-04-26 03:02:13.249496+00:00"},{"id":5802,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.4.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2590","title":"Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server","description":"Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7v3v-984v-h74r","labels":["BIT-mattermost-2024-23493","CVE-2024-23493","GHSA-7v3v-984v-h74r"],"created_at":"2026-04-26 03:02:13.246778+00:00","updated_at":"2026-04-26 03:02:13.246778+00:00"},{"id":5801,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.3.0+incompatible","fixed_version":"9.3.1+incompatible","bug_id":"osv:GO-2024-2589","title":"Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server","description":"Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6mx3-9qfh-77gj","labels":["BIT-mattermost-2024-24988","CVE-2024-24988","GHSA-6mx3-9qfh-77gj"],"created_at":"2026-04-26 03:02:13.244054+00:00","updated_at":"2026-04-26 03:02:13.244054+00:00"},{"id":5800,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.0.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2588","title":"Mattermost race condition in github.com/mattermost/mattermost-server","description":"Mattermost race condition in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3g35-v53r-gpxc","labels":["BIT-mattermost-2024-1949","CVE-2024-1949","GHSA-3g35-v53r-gpxc"],"created_at":"2026-04-26 03:02:13.241342+00:00","updated_at":"2026-04-26 03:02:13.241342+00:00"},{"id":5799,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.0.0+incompatible","fixed_version":"9.3.0+incompatible","bug_id":"osv:GO-2024-2566","title":"Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server","description":"Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r833-w756-h5p2","labels":["BIT-mattermost-2024-24776","CVE-2024-24776","GHSA-r833-w756-h5p2"],"created_at":"2026-04-26 03:02:13.238617+00:00","updated_at":"2026-04-26 03:02:13.238617+00:00"},{"id":5798,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.2.0+incompatible","fixed_version":"9.2.4+incompatible","bug_id":"osv:GO-2024-2541","title":"Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server","description":"Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-32h7-7j94-8fc2","labels":["BIT-mattermost-2024-1402","CVE-2024-1402","GHSA-32h7-7j94-8fc2"],"created_at":"2026-04-26 03:02:13.235830+00:00","updated_at":"2026-04-26 03:02:13.235830+00:00"},{"id":5797,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2450","title":"Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-w88v-pjr8-cmv2","labels":["BIT-mattermost-2023-47858","CVE-2023-47858","GHSA-w88v-pjr8-cmv2"],"created_at":"2026-04-26 03:02:13.233063+00:00","updated_at":"2026-04-26 03:02:13.233063+00:00"},{"id":5796,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.1.7+incompatible","bug_id":"osv:GO-2024-2448","title":"Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server","description":"Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q7rx-w656-fwmv","labels":["BIT-mattermost-2023-48732","CVE-2023-48732","GHSA-q7rx-w656-fwmv"],"created_at":"2026-04-26 03:02:13.230283+00:00","updated_at":"2026-04-26 03:02:13.230283+00:00"},{"id":5795,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2446","title":"Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-h3gq-j7p9-x3p4","labels":["BIT-mattermost-2023-7113","CVE-2023-7113","GHSA-h3gq-j7p9-x3p4"],"created_at":"2026-04-26 03:02:13.227454+00:00","updated_at":"2026-04-26 03:02:13.227454+00:00"},{"id":5794,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2444","title":"Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server","description":"Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-9w97-9rqx-8v4j","labels":["BIT-mattermost-2023-50333","CVE-2023-50333","GHSA-9w97-9rqx-8v4j"],"created_at":"2026-04-26 03:02:13.224679+00:00","updated_at":"2026-04-26 03:02:13.224679+00:00"},{"id":5793,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"5.20.0","bug_id":"osv:GO-2023-1939","title":"Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost","description":"Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j2h2-cvwh-cr64","labels":["BIT-mattermost-2020-14457","CVE-2020-14457","GHSA-j2h2-cvwh-cr64"],"created_at":"2026-04-26 03:02:13.221862+00:00","updated_at":"2026-04-26 03:02:13.221862+00:00"},{"id":5792,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"5.37.9","bug_id":"osv:GO-2022-0616","title":"Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server","description":"Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qggc-pj29-j27m","labels":["BIT-mattermost-2022-1332","CVE-2022-1332","GHSA-qggc-pj29-j27m"],"created_at":"2026-04-26 03:02:13.219078+00:00","updated_at":"2026-04-26 03:02:13.219078+00:00"},{"id":5791,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"5.39.0","bug_id":"osv:GO-2022-0604","title":"Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server","description":"Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hv5f-73mr-7vvj","labels":["CVE-2021-37860","GHSA-hv5f-73mr-7vvj"],"created_at":"2026-04-26 03:02:13.216206+00:00","updated_at":"2026-04-26 03:02:13.216206+00:00"},{"id":5790,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"6.5.0","bug_id":"osv:GO-2022-0599","title":"Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server","description":"Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fxwj-v664-wv5g","labels":["BIT-mattermost-2022-1385","CVE-2022-1385","GHSA-fxwj-v664-wv5g"],"created_at":"2026-04-26 03:02:13.213390+00:00","updated_at":"2026-04-26 03:02:13.213390+00:00"},{"id":5789,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"6.4.2","bug_id":"osv:GO-2022-0595","title":"Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server","description":"Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-f37q-q7p2-ccfc","labels":["BIT-mattermost-2022-1337","CVE-2022-1337","GHSA-f37q-q7p2-ccfc"],"created_at":"2026-04-26 03:02:13.210592+00:00","updated_at":"2026-04-26 03:02:13.210592+00:00"},{"id":5788,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"6.4.0","fixed_version":"6.5.0","bug_id":"osv:GO-2022-0576","title":"Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server","description":"Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-32rp-q37p-jg6w","labels":["BIT-mattermost-2022-1384","CVE-2022-1384","GHSA-32rp-q37p-jg6w"],"created_at":"2026-04-26 03:02:13.207769+00:00","updated_at":"2026-04-26 03:02:13.207769+00:00"},{"id":5787,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"6.7.0","fixed_version":"6.7.1","bug_id":"osv:GO-2022-0540","title":"Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server","description":"Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7ggc-5r84-xf54","labels":["BIT-mattermost-2022-2401","CVE-2022-2401","GHSA-7ggc-5r84-xf54"],"created_at":"2026-04-26 03:02:13.204989+00:00","updated_at":"2026-04-26 03:02:13.204989+00:00"},{"id":5786,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260123215601-86797c508c44","bug_id":"osv:GHSA-xv2p-wchj-qjhp","title":"Mattermost fails to bound memory allocation when processing DOC files","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25780","labels":["CVE-2026-25780","GO-2026-4733"],"created_at":"2026-04-26 03:02:13.202213+00:00","updated_at":"2026-04-26 03:02:13.202213+00:00"},{"id":5784,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260107144005-c7f6efdfb035","bug_id":"osv:GHSA-xpvf-6qcc-9jqc","title":"Mattermost fails to validate team-specific upload_file permissions","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4265","labels":["CVE-2026-4265","GO-2026-4749"],"created_at":"2026-04-26 03:02:13.196618+00:00","updated_at":"2026-04-26 03:02:13.196618+00:00"},{"id":5783,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"11.1.0","bug_id":"osv:GHSA-xpg8-8xpv-948p","title":"Mattermost does not enforce MFA on WebSocket connections","description":"Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55070","labels":["CVE-2025-55070","GO-2025-4128"],"created_at":"2026-04-26 03:02:13.191067+00:00","updated_at":"2026-04-26 03:02:13.191067+00:00"},{"id":5782,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2-0.20171013141717-ee57a5829ab1","bug_id":"osv:GHSA-x6mw-hf2j-vqpc","title":"Mattermost Server is vulnerable to channel invisibility DoS via misformatted post","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to cause a denial of service (channel invisibility) via a misformated post.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18873","labels":["CVE-2017-18873","GO-2026-4282"],"created_at":"2026-04-26 03:02:13.188291+00:00","updated_at":"2026-04-26 03:02:13.188291+00:00"},{"id":5781,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-x67c-v8jr-p29r","title":"Mattermost Fails to Sanitize Path Traversal Sequences","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8023","labels":["CVE-2025-8023","GO-2025-3907"],"created_at":"2026-04-26 03:02:13.185221+00:00","updated_at":"2026-04-26 03:02:13.185221+00:00"},{"id":5780,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.12.0","fixed_version":"10.12.2","bug_id":"osv:GHSA-x3r8-2hmh-89f5","title":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation","description":"Mattermost versions 10.11.x < 10.11.5, 11.0.x < 11.0.4, 10.12.x < 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13324","labels":["CVE-2025-13324","GO-2025-4256"],"created_at":"2026-04-26 03:02:13.182437+00:00","updated_at":"2026-04-26 03:02:13.182437+00:00"},{"id":5778,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.6.7-0.20170420152529-0968e4079e0a","bug_id":"osv:GHSA-x33g-375j-jhf7","title":"Mattermost Server has Improper Authorization for Integration Requests","description":"An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. API endpoint access control does not honor an integration permission restriction.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18916","labels":["CVE-2017-18916","GO-2026-4467"],"created_at":"2026-04-26 03:02:13.174143+00:00","updated_at":"2026-04-26 03:02:13.174143+00:00"},{"id":5777,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.2","bug_id":"osv:GHSA-wvw2-3jh4-4c39","title":"Mattermost Path Traversal vulnerability","description":"Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6233","labels":["CVE-2025-6233","GO-2025-3820"],"created_at":"2026-04-26 03:02:13.171307+00:00","updated_at":"2026-04-26 03:02:13.171307+00:00"},{"id":5775,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-wj5w-qghh-gvqp","title":"Mattermost Server does not neutralize HTML content in an Email template field","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. E-mail templates can have a field in which HTML content is not neutralized.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18892","labels":["CVE-2017-18892","GO-2026-4317"],"created_at":"2026-04-26 03:02:13.165760+00:00","updated_at":"2026-04-26 03:02:13.165760+00:00"},{"id":5774,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1","fixed_version":"9.6.1","bug_id":"osv:GHSA-wj37-mpq9-xrcm","title":"Mattermost fails to limit the number of active sessions","description":"Mattermost versions 8.1.x before 8.1.12, 9.6.x before 9.6.1, 9.5.x before 9.5.3, 9.4.x before 9.4.5 fail to limit the number of active sessions, which allows an authenticated attacker to crash the server via repeated requests to the getSessions API after flooding the sessions table.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4183","labels":["CVE-2024-4183","GO-2024-2798"],"created_at":"2026-04-26 03:02:13.163055+00:00","updated_at":"2026-04-26 03:02:13.163055+00:00"},{"id":5773,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250513065225-4ae5d647fb88","bug_id":"osv:GHSA-wgvp-jj4w-88hf","title":"Mattermost Incorrect Authorization vulnerability","description":"Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47871","labels":["CVE-2025-47871","GO-2025-3797"],"created_at":"2026-04-26 03:02:13.160272+00:00","updated_at":"2026-04-26 03:02:13.160272+00:00"},{"id":5772,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-w8cc-3h7q-jhc3","title":"Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18883","labels":["CVE-2017-18883","GO-2025-4198"],"created_at":"2026-04-26 03:02:13.157483+00:00","updated_at":"2026-04-26 03:02:13.157483+00:00"},{"id":5771,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"8.1.0","fixed_version":"8.1.12","bug_id":"osv:GHSA-vx97-8q8q-qgq5","title":"Mattermost's detailed error messages reveal the full file path","description":"Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored\n\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32046","labels":["CVE-2024-32046","GO-2024-2797"],"created_at":"2026-04-26 03:02:13.154708+00:00","updated_at":"2026-04-26 03:02:13.154708+00:00"},{"id":5770,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251121122154-b57c297c6d7","bug_id":"osv:GHSA-vww6-79rv-3j4x","title":"Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin","description":"Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64641","labels":["CVE-2025-64641","GO-2025-4260"],"created_at":"2026-04-26 03:02:13.151988+00:00","updated_at":"2026-04-26 03:02:13.151988+00:00"},{"id":5769,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.1.0","bug_id":"osv:GHSA-vw57-55f8-c73q","title":"Mattermost Server allows XSS via CSRF","description":"An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11084","labels":["CVE-2016-11084","GO-2025-4066"],"created_at":"2026-04-26 03:02:13.149148+00:00","updated_at":"2026-04-26 03:02:13.149148+00:00"},{"id":5767,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-vrh2-rprg-rgc6","title":"Mattermost Server does not safeguard against phishing via error page links","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows Phishing because an error page can have a link.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18891","labels":["CVE-2017-18891","GO-2026-4298"],"created_at":"2026-04-26 03:02:13.143422+00:00","updated_at":"2026-04-26 03:02:13.143422+00:00"},{"id":5765,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250513065225-4ae5d647fb88","bug_id":"osv:GHSA-v8fr-vxmw-6mf6","title":"Mattermost Incorrect Authorization vulnerability","description":"Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46702","labels":["CVE-2025-46702","GO-2025-3796"],"created_at":"2026-04-26 03:02:13.137607+00:00","updated_at":"2026-04-26 03:02:13.137607+00:00"},{"id":5764,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"7.1.4","bug_id":"osv:GHSA-v42f-hq78-8c5m","title":"Denial of service in Mattermost","description":"A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-4045","labels":["CVE-2022-4045"],"created_at":"2026-04-26 03:02:13.134853+00:00","updated_at":"2026-04-26 03:02:13.134853+00:00"},{"id":5761,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.2.0","bug_id":"osv:GHSA-rm24-25xm-9454","title":"Mattermost Server: Files may be rendered inline instead of downloaded, allowing script execution","description":"An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11083","labels":["CVE-2016-11083","GO-2025-4065"],"created_at":"2026-04-26 03:02:13.126395+00:00","updated_at":"2026-04-26 03:02:13.126395+00:00"},{"id":5757,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"5.4.0-rc1","fixed_version":"7.8.12","bug_id":"osv:GHSA-r67m-mf7v-qp7j","title":"Mattermost password hash disclosure vulnerability","description":"Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. ","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5968","labels":["CVE-2023-5968"],"created_at":"2026-04-26 03:02:13.112287+00:00","updated_at":"2026-04-26 03:02:13.112287+00:00"},{"id":5755,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250520060012-d0380305ef7a","bug_id":"osv:GHSA-qwwm-c582-82rx","title":"Mattermost allows unauthorized channel member management through playbook runs","description":"Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions in playbook runs, allowing authenticated users without the 'Manage Channel Members' permission to add or remove users from public and private channels by manipulating playbook run participants when the run is linked to a channel.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3227","labels":["CVE-2025-3227","GO-2025-3772"],"created_at":"2026-04-26 03:02:13.106650+00:00","updated_at":"2026-04-26 03:02:13.106650+00:00"},{"id":5752,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-qj47-w9f2-qg44","title":"Mattermost Does Not Sanitize the Team Invite ID","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the  POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47870","labels":["CVE-2025-47870","GO-2025-3905"],"created_at":"2026-04-26 03:02:13.098153+00:00","updated_at":"2026-04-26 03:02:13.098153+00:00"},{"id":5750,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-q453-638c-h4mr","title":"Mattermost Fails to Validate Remote Cluster Upload Sessions","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49222","labels":["CVE-2025-49222","GO-2025-3904"],"created_at":"2026-04-26 03:02:13.092621+00:00","updated_at":"2026-04-26 03:02:13.092621+00:00"},{"id":5749,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.0.1-0.20160310160916-26ad6d2c7696","bug_id":"osv:GHSA-q3g9-hgrx-hwhx","title":"Mattermost Server exposes sensitive information about team URLs via an API","description":"An issue was discovered in Mattermost Server before 3.0.0. It allows attackers to obtain sensitive information about team URLs via an API.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11075","labels":["CVE-2016-11075","GO-2025-4061"],"created_at":"2026-04-26 03:02:13.089882+00:00","updated_at":"2026-04-26 03:02:13.089882+00:00"},{"id":5747,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251210191531-cd17b61de41b","bug_id":"osv:GHSA-pp9j-pf5c-659x","title":"Mattermost fails to sanitize sensitive data in WebSocket messages","description":"Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13821","labels":["CVE-2025-13821","GO-2026-4524"],"created_at":"2026-04-26 03:02:13.084378+00:00","updated_at":"2026-04-26 03:02:13.084378+00:00"},{"id":5746,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-pj6f-rc94-gw53","title":"Mattermost Fails to Sanitize File Names","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6465","labels":["CVE-2025-6465","GO-2025-3910"],"created_at":"2026-04-26 03:02:13.081683+00:00","updated_at":"2026-04-26 03:02:13.081683+00:00"},{"id":5745,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260123211116-9efe617be8b8","bug_id":"osv:GHSA-ph22-fw5m-w2q9","title":"Mattermost allows attackers to spoof permalink embeds","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint. Mattermost Advisory ID: MMSA-2025-00569","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2457","labels":["CVE-2026-2457","GO-2026-4732"],"created_at":"2026-04-26 03:02:13.078944+00:00","updated_at":"2026-04-26 03:02:13.078944+00:00"},{"id":5743,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.9","bug_id":"osv:GHSA-mx8m-v8qm-xwr8","title":"Mattermost is vulnerable to DoS due to infinite re-renders on API errors","description":"Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14435","labels":["CVE-2025-14435","GO-2026-4326"],"created_at":"2026-04-26 03:02:13.073382+00:00","updated_at":"2026-04-26 03:02:13.073382+00:00"},{"id":5742,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.4","bug_id":"osv:GHSA-mqp8-pgg5-7x7m","title":"Mattermost allows system administrators to access password hashes and MFA secrets","description":"Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to access password hashes and MFA secrets via the POST /api/v4/users/{user_id}/email/verify/member endpoint","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11794","labels":["CVE-2025-11794","GO-2025-4130"],"created_at":"2026-04-26 03:02:13.070581+00:00","updated_at":"2026-04-26 03:02:13.070581+00:00"},{"id":5738,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.2.0","bug_id":"osv:GHSA-m78r-2x6w-qqjp","title":"Mattermost Server is vulnerable to XSS through crafted links","description":"An issue was discovered in Mattermost Server before 2.2.0. It allows XSS via a crafted link.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11082","labels":["CVE-2016-11082","GO-2025-4064"],"created_at":"2026-04-26 03:02:13.059500+00:00","updated_at":"2026-04-26 03:02:13.059500+00:00"},{"id":5736,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-m497-hq5x-6jcv","title":"Mattermost Server allows attackers to create buttons that can launch API requests","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18890","labels":["CVE-2017-18890","GO-2025-4202"],"created_at":"2026-04-26 03:02:13.053991+00:00","updated_at":"2026-04-26 03:02:13.053991+00:00"},{"id":5731,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.10.3","bug_id":"osv:GHSA-jwfv-5hwq-f97r","title":"Mattermost Server exposes team invite IDs through API endpoints","description":"An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover team invite IDs via team API endpoints.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18902","labels":["CVE-2017-18902","GO-2025-4185"],"created_at":"2026-04-26 03:02:13.040059+00:00","updated_at":"2026-04-26 03:02:13.040059+00:00"},{"id":5730,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-jp57-4x34-5v94","title":"Mattermost Server is vulnerable to webhook and slash command manipulation","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18889","labels":["CVE-2017-18889","GO-2025-4201"],"created_at":"2026-04-26 03:02:13.037270+00:00","updated_at":"2026-04-26 03:02:13.037270+00:00"},{"id":5728,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250815165020-c8d66301415d","bug_id":"osv:GHSA-j6gg-r5jc-47cm","title":"Mattermost fails to properly restrict access to archived channel search API","description":"Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11776","labels":["CVE-2025-11776","GO-2025-4126"],"created_at":"2026-04-26 03:02:13.031643+00:00","updated_at":"2026-04-26 03:02:13.031643+00:00"},{"id":5724,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2-0.20171004201910-6be8113eb60c","bug_id":"osv:GHSA-hjqh-j6rj-gh8q","title":"Mattermost Server is vulnerable to Path Traversal when files are stored locally","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18876","labels":["CVE-2017-18876","GO-2025-4187"],"created_at":"2026-04-26 03:02:13.020814+00:00","updated_at":"2026-04-26 03:02:13.020814+00:00"},{"id":5723,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.3.3","bug_id":"osv:GHSA-hgrp-fgm8-56g8","title":"Mattermost Server's OAuth 2.0 service is vulnerable to attack through Missing Authorization","description":"An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. Attackers could reconfigure an OAuth app in some cases where Mattermost is an OAuth 2.0 service provider.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18872","labels":["CVE-2017-18872","GO-2025-4075"],"created_at":"2026-04-26 03:02:13.018058+00:00","updated_at":"2026-04-26 03:02:13.018058+00:00"},{"id":5722,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.1.0","bug_id":"osv:GHSA-h8qw-xqm9-q66j","title":"Mattermost Server is vulnerable to XSS through customizable theme color-code values","description":"An issue was discovered in Mattermost Server before 3.1.0. It allows XSS via theme color-code values.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11070","labels":["CVE-2016-11070","GO-2025-4050"],"created_at":"2026-04-26 03:02:13.015269+00:00","updated_at":"2026-04-26 03:02:13.015269+00:00"},{"id":5721,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-h742-xx59-r9pq","title":"Mattermost Server exposes sensitive user status information via REST API version 4 endpoint","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to obtain sensitive information (user statuses) via a REST API version 4 endpoint.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18895","labels":["CVE-2017-18895","GO-2026-4295"],"created_at":"2026-04-26 03:02:13.012314+00:00","updated_at":"2026-04-26 03:02:13.012314+00:00"},{"id":5720,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.4.0","fixed_version":"10.4.3","bug_id":"osv:GHSA-h5v9-xw2g-7hrq","title":"Mattermost allows members with permission to convert public channels to private and convert private to public","description":"Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to to enforce channel conversion restrictions, which allows members with permission to convert public channels to private ones to also convert private ones to public.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27933","labels":["BIT-mattermost-2025-27933","CVE-2025-27933","GO-2025-3556"],"created_at":"2026-04-26 03:02:13.009567+00:00","updated_at":"2026-04-26 03:02:13.009567+00:00"},{"id":5719,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2-0.20171004201910-6be8113eb60c","bug_id":"osv:GHSA-h564-6gc2-fcc6","title":"Mattermost Server allows users with a session ID to revoke another users' session","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18878","labels":["CVE-2017-18878","GO-2025-4191"],"created_at":"2026-04-26 03:02:13.006634+00:00","updated_at":"2026-04-26 03:02:13.006634+00:00"},{"id":5718,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-h469-4fcf-p23h","title":"Mattermost has Potential Server Crash due to Unvalidated Import Data","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8402","labels":["CVE-2025-8402","GO-2025-3911"],"created_at":"2026-04-26 03:02:13.003935+00:00","updated_at":"2026-04-26 03:02:13.003935+00:00"},{"id":5717,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.1.0","bug_id":"osv:GHSA-h3qg-w9j5-wh3m","title":"Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`","description":"An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11071","labels":["CVE-2016-11071","GO-2025-4058"],"created_at":"2026-04-26 03:02:13.001130+00:00","updated_at":"2026-04-26 03:02:13.001130+00:00"},{"id":5716,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"6.6.0","fixed_version":"6.6.1","bug_id":"osv:GHSA-gwpf-95jc-63rv","title":"Uncontrolled Resource Consumption in Mattermost server","description":"Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1982","labels":["BIT-mattermost-2022-1982","CVE-2022-1982"],"created_at":"2026-04-26 03:02:12.998335+00:00","updated_at":"2026-04-26 03:02:12.998335+00:00"},{"id":5715,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260129133647-5d787969c2d5","bug_id":"osv:GHSA-gqv7-j2j8-qmwq","title":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2455","labels":["CVE-2026-2455","GO-2026-4746"],"created_at":"2026-04-26 03:02:12.995586+00:00","updated_at":"2026-04-26 03:02:12.995586+00:00"},{"id":5714,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.9.0","fixed_version":"10.9.2","bug_id":"osv:GHSA-gq3r-5833-5532","title":"Mattermost Fails to Validate File Paths","description":"Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-36530","labels":["CVE-2025-36530","GO-2025-3901"],"created_at":"2026-04-26 03:02:12.992883+00:00","updated_at":"2026-04-26 03:02:12.992883+00:00"},{"id":5711,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-g3f3-p9rc-775p","title":"Mattermost Server exposes account details to any Team Administrator","description":"An issue was discovered in Mattermost Server before 3.0.0. It offers superfluous APIs for a Team Administrator to view account details.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11080","labels":["CVE-2016-11080","GO-2025-4063"],"created_at":"2026-04-26 03:02:12.984623+00:00","updated_at":"2026-04-26 03:02:12.984623+00:00"},{"id":5710,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.9.2","bug_id":"osv:GHSA-g24c-fx4v-xg9w","title":"Mattermost Server has Insufficient Session Expiration when used as an OAuth 2.0 service provider","description":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2, when used as an OAuth 2.0 service provider, Session invalidation was mishandled.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18905","labels":["CVE-2017-18905","GO-2026-4306"],"created_at":"2026-04-26 03:02:12.981877+00:00","updated_at":"2026-04-26 03:02:12.981877+00:00"},{"id":5709,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260105134819-cc427af41b2a","bug_id":"osv:GHSA-fx49-m253-27jj","title":"Mattermost fails to filter invite IDs based on user permissions","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation. Mattermost Advisory ID: MMSA-2025-00565","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2463","labels":["CVE-2026-2463","GO-2026-4735"],"created_at":"2026-04-26 03:02:12.979236+00:00","updated_at":"2026-04-26 03:02:12.979236+00:00"},{"id":5708,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.11.0","fixed_version":"9.11.9","bug_id":"osv:GHSA-fqrq-xmxj-v47x","title":"Mattermost Fails to Properly Perform Viewer Role Authorization","description":"Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1472","labels":["CVE-2025-1472","GO-2025-3534"],"created_at":"2026-04-26 03:02:12.976488+00:00","updated_at":"2026-04-26 03:02:12.976488+00:00"},{"id":5706,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251121122154-b57c297c6d7","bug_id":"osv:GHSA-fmqf-pmcm-8cx9","title":"Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues","description":"Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13767","labels":["CVE-2025-13767","GO-2025-4259"],"created_at":"2026-04-26 03:02:12.970942+00:00","updated_at":"2026-04-26 03:02:12.970942+00:00"},{"id":5705,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.4.0-rc1","fixed_version":"11.4.1","bug_id":"osv:GHSA-fg35-5rf6-qg3g","title":"Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw","description":"Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27656","labels":["CVE-2026-27656"],"created_at":"2026-04-26 03:02:12.968136+00:00","updated_at":"2026-04-26 03:02:12.968136+00:00"},{"id":5704,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.2.0","bug_id":"osv:GHSA-ffcc-qr2v-3qmv","title":"Mattermost Server is vulnerable to Uncontrolled Resource Consumption","description":"An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11067","labels":["CVE-2016-11067","GO-2025-4046"],"created_at":"2026-04-26 03:02:12.965390+00:00","updated_at":"2026-04-26 03:02:12.965390+00:00"},{"id":5703,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.4","bug_id":"osv:GHSA-ff85-qw3h-g9vp","title":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL","description":"Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and the MSTeams plugin OAuth flow which allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55073","labels":["CVE-2025-55073","GO-2025-4129"],"created_at":"2026-04-26 03:02:12.962599+00:00","updated_at":"2026-04-26 03:02:12.962599+00:00"},{"id":5701,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-f7c3-7vp3-44p6","title":"Mattermost Server mishandles redirect denial action","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. It mishandles a deny action for a redirection.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18897","labels":["CVE-2017-18897","GO-2026-4301"],"created_at":"2026-04-26 03:02:12.957257+00:00","updated_at":"2026-04-26 03:02:12.957257+00:00"},{"id":5699,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260107142155-0481bd1fb045","bug_id":"osv:GHSA-cwfj-642j-gfh4","title":"Mattermost fails to properly enforce read permissions in search API endpoints","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24692","labels":["CVE-2026-24692","GO-2026-4745"],"created_at":"2026-04-26 03:02:12.951649+00:00","updated_at":"2026-04-26 03:02:12.951649+00:00"},{"id":5697,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.5.1","bug_id":"osv:GHSA-cffj-7w5c-jqjh","title":"Mattermost Server vulnerable to Cross-site Scripting through file preview feature","description":"An issue was discovered in Mattermost Server before 3.5.1. XSS can occur via file preview.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11063","labels":["CVE-2016-11063","GO-2025-4045"],"created_at":"2026-04-26 03:02:12.946043+00:00","updated_at":"2026-04-26 03:02:12.946043+00:00"},{"id":5696,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.10.3","bug_id":"osv:GHSA-c253-8hr4-r8v9","title":"Mattermost Server exposes private team invite ID","description":"An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18901","labels":["CVE-2017-18901","GO-2026-4304"],"created_at":"2026-04-26 03:02:12.943354+00:00","updated_at":"2026-04-26 03:02:12.943354+00:00"},{"id":5695,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-9x8x-w6g5-hx4w","title":"Mattermost Server is vulnerable to XSS attacks against an OAuth 2.0 allow/deny page","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS attacks could occur against an OAuth 2.0 allow/deny page.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18877","labels":["CVE-2017-18877","GO-2025-4190"],"created_at":"2026-04-26 03:02:12.940659+00:00","updated_at":"2026-04-26 03:02:12.940659+00:00"},{"id":5694,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-9w4v-9c99-hv7r","title":"Mattermost Server exposes sensitive information via its System Console UI","description":"An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information (credential fields within config.json) via the System Console UI.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11078","labels":["CVE-2016-11078","GO-2025-4057"],"created_at":"2026-04-26 03:02:12.937956+00:00","updated_at":"2026-04-26 03:02:12.937956+00:00"},{"id":5693,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2-0.20171004201910-6be8113eb60c","bug_id":"osv:GHSA-9rr5-q43r-ccv4","title":"Mattermost Server does not prevent System Admin from arbitrary file creation","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18875","labels":["CVE-2017-18875","GO-2025-4186"],"created_at":"2026-04-26 03:02:12.935248+00:00","updated_at":"2026-04-26 03:02:12.935248+00:00"},{"id":5691,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.2.0","fixed_version":"11.2.2","bug_id":"osv:GHSA-9pj7-jh2r-87g8","title":"Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts","description":"Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22892","labels":["CVE-2026-22892","GO-2026-4496"],"created_at":"2026-04-26 03:02:12.929704+00:00","updated_at":"2026-04-26 03:02:12.929704+00:00"},{"id":5690,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-9p92-x77w-9fw2","title":"Mattermost makes Use of Weak Hash","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9078","labels":["CVE-2025-9078","GO-2025-3959"],"created_at":"2026-04-26 03:02:12.926822+00:00","updated_at":"2026-04-26 03:02:12.926822+00:00"},{"id":5689,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-9jrx-fgrm-96qh","title":"Mattermost Server is vulnerable to XSS via a Legal or Support setting","description":"An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a Legal or Support setting.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11073","labels":["CVE-2016-11073","GO-2025-4056"],"created_at":"2026-04-26 03:02:12.924011+00:00","updated_at":"2026-04-26 03:02:12.924011+00:00"},{"id":5688,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.3.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-9hj7-v56g-rhf6","title":"Mattermost fails to properly authentication inviter's permissions to private channel","description":"When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.\n\n[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1774","labels":["BIT-mattermost-2023-1774","CVE-2023-1774"],"created_at":"2026-04-26 03:02:12.921297+00:00","updated_at":"2026-04-26 03:02:12.921297+00:00"},{"id":5686,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-9589-mq83-f749","title":"Mattermost Server is vulnerable to DoS through maliciously crafted posts","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows crafted posts that potentially cause a web browser to hang.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18898","labels":["CVE-2017-18898","GO-2026-4300"],"created_at":"2026-04-26 03:02:12.915792+00:00","updated_at":"2026-04-26 03:02:12.915792+00:00"},{"id":5685,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2-0.20171004201910-6be8113eb60","bug_id":"osv:GHSA-8qg8-c7mw-6fj7","title":"Mattermost Server is vulnerable to Directory Traversal by System Admins","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18874","labels":["CVE-2017-18874","GO-2025-4148"],"created_at":"2026-04-26 03:02:12.913033+00:00","updated_at":"2026-04-26 03:02:12.913033+00:00"},{"id":5683,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.9.2","bug_id":"osv:GHSA-8pff-p3gx-w4jf","title":"Mattermost Server vulnerable to XSS via an uploaded file","description":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. It allows XSS via an uploaded file.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18904","labels":["CVE-2017-18904","GO-2026-4302"],"created_at":"2026-04-26 03:02:12.907177+00:00","updated_at":"2026-04-26 03:02:12.907177+00:00"},{"id":5682,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"3.3.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-8jhh-3jf2-pfwr","title":"Mattermost vulnerable to information disclosure","description":"When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\n\n[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1775","labels":["BIT-mattermost-2023-1775","CVE-2023-1775"],"created_at":"2026-04-26 03:02:12.904302+00:00","updated_at":"2026-04-26 03:02:12.904302+00:00"},{"id":5681,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"8.1.0","fixed_version":"8.1.12","bug_id":"osv:GHSA-8f99-g2pj-x8w3","title":"Mattermost crashes web clients via a malformed custom status","description":"Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.\n\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4182","labels":["CVE-2024-4182","GO-2024-2795"],"created_at":"2026-04-26 03:02:12.901566+00:00","updated_at":"2026-04-26 03:02:12.901566+00:00"},{"id":5680,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.0.5","bug_id":"osv:GHSA-887v-xh2x-47cm","title":"Mattermost Server is vulnerable to XSS through display name field","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. Display names allow XSS.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18893","labels":["CVE-2017-18893","GO-2026-4296"],"created_at":"2026-04-26 03:02:12.898851+00:00","updated_at":"2026-04-26 03:02:12.898851+00:00"},{"id":5678,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.2.0","bug_id":"osv:GHSA-7vmw-6c7h-rrrv","title":"Mattermost Server is vulnerable to Code Injection through its LDAP fields","description":"An issue was discovered in Mattermost Server before 3.2.0. Attackers could read LDAP fields via injection.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11068","labels":["CVE-2016-11068","GO-2025-4048"],"created_at":"2026-04-26 03:02:12.893333+00:00","updated_at":"2026-04-26 03:02:12.893333+00:00"},{"id":5677,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0","fixed_version":"10.5.7","bug_id":"osv:GHSA-7h34-9chr-58qh","title":"Mattermost Missing Authentication for Critical Function","description":"Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6226","labels":["CVE-2025-6226","GO-2025-3819"],"created_at":"2026-04-26 03:02:12.890589+00:00","updated_at":"2026-04-26 03:02:12.890589+00:00"},{"id":5676,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250822090405-e8c7e7d0252b","bug_id":"osv:GHSA-7cr3-38jm-6p45","title":"Mattermost has a Missing Authorization vulnerability","description":"Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which allows guest users to discover active public channels and their metadata via the `/api/v4/teams/{team_id}/channels/ids` endpoint","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-41443","labels":["CVE-2025-41443","GO-2025-4031"],"created_at":"2026-04-26 03:02:12.887840+00:00","updated_at":"2026-04-26 03:02:12.887840+00:00"},{"id":5673,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260113182106-a18b80ba4c32","bug_id":"osv:GHSA-679f-wmrg-qf57","title":"Mattermost allows a removed team member to enumerate all public channels within a private team","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint. Mattermost Advisory ID: MMSA-2025-00568","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2458","labels":["CVE-2026-2458","GO-2026-4729"],"created_at":"2026-04-26 03:02:12.879289+00:00","updated_at":"2026-04-26 03:02:12.879289+00:00"},{"id":5672,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"4.1.0","fixed_version":"4.1.1","bug_id":"osv:GHSA-63wg-qmrv-7q66","title":"Mattermost Server allows attackers to log sensitive information via DEBUG REST API logging endpoint","description":"An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5. It allows attackers to add DEBUG lines to the logs via a REST API version 3 logging endpoint.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18896","labels":["CVE-2017-18896","GO-2026-4299"],"created_at":"2026-04-26 03:02:12.876501+00:00","updated_at":"2026-04-26 03:02:12.876501+00:00"},{"id":5671,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"6.0.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-63f2-6959-2pxj","title":"Mattermost vulnerable to cross-site scripting (XSS)","description":"Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. \n\n[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1776","labels":["BIT-mattermost-2023-1776","CVE-2023-1776"],"created_at":"2026-04-26 03:02:12.871095+00:00","updated_at":"2026-04-26 03:02:12.871095+00:00"},{"id":5669,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"2.2.0","bug_id":"osv:GHSA-5q37-9874-qxcw","title":"Mattermost Server exposes information stored by a web browser","description":"An issue was discovered in Mattermost Server before 2.2.0. It allows unintended access to information stored by a web browser.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11081","labels":["CVE-2016-11081","GO-2025-4062"],"created_at":"2026-04-26 03:02:12.865558+00:00","updated_at":"2026-04-26 03:02:12.865558+00:00"},{"id":5668,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260130144323-5bb5261c72fa","bug_id":"osv:GHSA-5mr9-crcg-8wh2","title":"Mattermost fails to use consistent error responses when handling the /mute command","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21386","labels":["CVE-2026-21386","GO-2026-4744"],"created_at":"2026-04-26 03:02:12.862772+00:00","updated_at":"2026-04-26 03:02:12.862772+00:00"},{"id":5666,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"7.1.4","bug_id":"osv:GHSA-5jph-wrq7-v9hf","title":"Denial of service in Mattermost","description":"A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-4044","labels":["CVE-2022-4044"],"created_at":"2026-04-26 03:02:12.857131+00:00","updated_at":"2026-04-26 03:02:12.857131+00:00"},{"id":5665,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.6.5","bug_id":"osv:GHSA-5ghq-28r7-qwfj","title":"Mattermost Server does not restrict SAML certificate path for System Administrators","description":"An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A System Administrator can place a SAML certificate at an arbitrary pathname.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18918","labels":["CVE-2017-18918","GO-2026-4460"],"created_at":"2026-04-26 03:02:12.854391+00:00","updated_at":"2026-04-26 03:02:12.854391+00:00"},{"id":5663,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251209134645-761e56bb11cc","bug_id":"osv:GHSA-57cc-2pf4-mhmx","title":"Mattermost fails to properly validate team membership when processing channel mentions","description":"Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14350","labels":["CVE-2025-14350","GO-2026-4521"],"created_at":"2026-04-26 03:02:12.849050+00:00","updated_at":"2026-04-26 03:02:12.849050+00:00"},{"id":5662,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250414112942-77892234944b","bug_id":"osv:GHSA-4r67-4x4p-fprg","title":"Mattermost allows authenticated administrator to execute LDAP search filter injection","description":"Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4573","labels":["CVE-2025-4573","GO-2025-3756"],"created_at":"2026-04-26 03:02:12.846249+00:00","updated_at":"2026-04-26 03:02:12.846249+00:00"},{"id":5661,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251015091448-abbf01b9db45","bug_id":"osv:GHSA-4g87-9x45-cx2h","title":"Mattermost fails to sanitize team email addresses","description":"Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12559","labels":["CVE-2025-12559","GO-2025-4169"],"created_at":"2026-04-26 03:02:12.843454+00:00","updated_at":"2026-04-26 03:02:12.843454+00:00"},{"id":5659,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-498j-wxww-j897","title":"Mattermost Server is vulnerable to XSS through author_link field in Slack attachments","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18879","labels":["CVE-2017-18879","GO-2025-4189"],"created_at":"2026-04-26 03:02:12.837941+00:00","updated_at":"2026-04-26 03:02:12.837941+00:00"},{"id":5658,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.4.0-rc1","fixed_version":"11.4.1","bug_id":"osv:GHSA-4765-v66x-rqx7","title":"Mattermost doesn't set permissions on downloaded bulk export","description":"Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export. Mattermost Advisory ID: MMSA-2026-00593.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3113","labels":["CVE-2026-3113"],"created_at":"2026-04-26 03:02:12.835182+00:00","updated_at":"2026-04-26 03:02:12.835182+00:00"},{"id":5657,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250520060012-d0380305ef7a","bug_id":"osv:GHSA-4578-6gjh-f2jm","title":"Mattermost allows an unauthorized Guest user access to Playbook","description":"Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly retrieve requestorInfo from playbooks handler for guest users which allows an attacker access to the playbook run.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3228","labels":["CVE-2025-3228","GO-2025-3771"],"created_at":"2026-04-26 03:02:12.832433+00:00","updated_at":"2026-04-26 03:02:12.832433+00:00"},{"id":5656,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260115183946-38b413a27604","bug_id":"osv:GHSA-44mv-jq72-gj49","title":"Mattermost fails to bound memory allocation when processing PSD image files","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26246","labels":["CVE-2026-26246","GO-2026-4727"],"created_at":"2026-04-26 03:02:12.829628+00:00","updated_at":"2026-04-26 03:02:12.829628+00:00"},{"id":5655,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.2","bug_id":"osv:GHSA-43m6-wvc8-2m7j","title":"Mattermost Server's Session ID and Session Token are potentially compromised","description":"An issue was discovered in Mattermost Server before 3.0.2. The purposes of a session ID and a Session Token were mishandled.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11072","labels":["CVE-2016-11072","GO-2025-4055"],"created_at":"2026-04-26 03:02:12.826881+00:00","updated_at":"2026-04-26 03:02:12.826881+00:00"},{"id":5654,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.9.2-0.20170714014920-312269ad0bd1","bug_id":"osv:GHSA-42x9-rr3c-gr59","title":"Mattermost Server vulnerable to XSS through channel headers","description":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18907","labels":["CVE-2017-18907","GO-2026-4459"],"created_at":"2026-04-26 03:02:12.824132+00:00","updated_at":"2026-04-26 03:02:12.824132+00:00"},{"id":5650,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"6.3.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-3wq5-3f56-v5xc","title":"Mattermost vulnerable to information disclosure","description":"Mattermost allows an attacker to request a preview of an existing message when creating a new message via the createPost API call, disclosing the contents of the linked message.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1777","labels":["BIT-mattermost-2023-1777","CVE-2023-1777"],"created_at":"2026-04-26 03:02:12.810059+00:00","updated_at":"2026-04-26 03:02:12.810059+00:00"},{"id":5649,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250729073403-517ae758cd02","bug_id":"osv:GHSA-3vcm-c42p-3hhf","title":"Mattermost Missing Authorization vulnerability","description":"Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9076","labels":["CVE-2025-9076","GO-2025-3950"],"created_at":"2026-04-26 03:02:12.807179+00:00","updated_at":"2026-04-26 03:02:12.807179+00:00"},{"id":5648,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260127062706-c6b205f0d770","bug_id":"osv:GHSA-3rhr-jr63-hwq5","title":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion","description":"Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event. Mattermost Advisory ID: MMSA-2026-00579","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2578","labels":["CVE-2026-2578","GO-2026-4734"],"created_at":"2026-04-26 03:02:12.804433+00:00","updated_at":"2026-04-26 03:02:12.804433+00:00"},{"id":5647,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250822083415-01b95392a450","bug_id":"osv:GHSA-3q4q-wqm6-hvf3","title":"Mattermost has a Missing Authorization vulnerability","description":"Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictions.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-41410","labels":["CVE-2025-41410","GO-2025-4029"],"created_at":"2026-04-26 03:02:12.801651+00:00","updated_at":"2026-04-26 03:02:12.801651+00:00"},{"id":5646,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251212052346-61651b0df7ea","bug_id":"osv:GHSA-3c9r-7f29-qp32","title":"Mattermost fails to properly validate login method restrictions","description":"Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-0999","labels":["CVE-2026-0999","GO-2026-4520"],"created_at":"2026-04-26 03:02:12.798878+00:00","updated_at":"2026-04-26 03:02:12.798878+00:00"},{"id":5644,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-35c4-5qfp-wxj6","title":"Mattermost Server exposes team creator's e-mail address to other members","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18887","labels":["CVE-2017-18887","GO-2025-4199"],"created_at":"2026-04-26 03:02:12.793441+00:00","updated_at":"2026-04-26 03:02:12.793441+00:00"},{"id":5643,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260127165411-fe3052073dc6","bug_id":"osv:GHSA-34g8-9fpp-46ch","title":"Mattermost fails to limit the size of responses from integration action endpoints","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button. Mattermost Advisory ID: MMSA-2026-00571","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2456","labels":["CVE-2026-2456","GO-2026-4726"],"created_at":"2026-04-26 03:02:12.790610+00:00","updated_at":"2026-04-26 03:02:12.790610+00:00"},{"id":5641,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0","fixed_version":"10.5.2","bug_id":"osv:GHSA-322v-vh2g-qvpv","title":"Mattermost Fails to Restrict Certain Operations on System Admins","description":"Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to restrict certain operations on system admins to only other system admins, which allows delegated granular administration users with the \"Edit Other Users\" permission to perform unauthorized modifications to system administrators via improper permission validation.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32093","labels":["CVE-2025-32093","GO-2025-3609"],"created_at":"2026-04-26 03:02:12.785071+00:00","updated_at":"2026-04-26 03:02:12.785071+00:00"},{"id":5639,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260129181235-1346cf529aef","bug_id":"osv:GHSA-2v3w-6g35-5f9v","title":"Mattermost fails to properly validate User-Agent header tokens","description":"Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate User-Agent header tokens which allows an authenticated attacker to cause a request panic via a specially crafted User-Agent header. Mattermost Advisory ID: MMSA-2026-00586","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25783","labels":["CVE-2026-25783","GO-2026-4725"],"created_at":"2026-04-26 03:02:12.779447+00:00","updated_at":"2026-04-26 03:02:12.779447+00:00"},{"id":5638,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-2j9c-76pp-xc5q","title":"Mattermost Server allows XSS via redirect URL","description":"An issue was discovered in Mattermost Server before 3.0.0. It allows XSS via a redirect URL.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11079","labels":["CVE-2016-11079","GO-2025-4053"],"created_at":"2026-04-26 03:02:12.776548+00:00","updated_at":"2026-04-26 03:02:12.776548+00:00"},{"id":5637,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"11.4.0-rc1","fixed_version":"11.4.1","bug_id":"osv:GHSA-247x-7qw8-fp98","title":"Mattermost doesn't rate limit login requests, allowing DoS","description":"Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to rate limit login requests which allows unauthenticated remote attackers to cause denial of service (server crash and restart) via HTTP/2 single packet attack with 100+ parallel login requests.. Mattermost Advisory ID: MMSA-2025-00566","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26233","labels":["CVE-2026-26233","GO-2026-4916"],"created_at":"2026-04-26 03:02:12.773555+00:00","updated_at":"2026-04-26 03:02:12.773555+00:00"},{"id":5785,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250728063359-38208b8f065f","bug_id":"osv:GHSA-xr3w-rmvj-f6m7","title":"Mattermost has an Observable Timing Discrepancy vulnerability","description":"Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54499","labels":["CVE-2025-54499","GO-2025-4036"],"created_at":"2026-04-26 03:02:13.199394+00:00","updated_at":"2026-04-26 03:02:13.199394+00:00"},{"id":5779,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"11.0.0-alpha.1","bug_id":"osv:GHSA-x3hx-ch7p-8xgg","title":"Mattermost allows regular users to access archived channel content and files","description":"Mattermost versions < 11.0 fail to properly enforce the \"Allow users to view archived channels\" setting which allows regular users to access archived channel content and files via the \"Open in Channel\" functionality from followed threads","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-41436","labels":["CVE-2025-41436","GO-2025-4131"],"created_at":"2026-04-26 03:02:13.176897+00:00","updated_at":"2026-04-26 03:02:13.176897+00:00"},{"id":5768,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.5.0","fixed_version":"9.5.7","bug_id":"osv:GHSA-vvpg-55p7-5h8w","title":"Mattermost did not properly restrict channel creation","description":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39837","labels":["BIT-mattermost-2024-39837","CVE-2024-39837","GO-2024-3032"],"created_at":"2026-04-26 03:02:13.146222+00:00","updated_at":"2026-04-26 03:02:13.146222+00:00"},{"id":5766,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0","fixed_version":"10.5.10","bug_id":"osv:GHSA-vqwh-5jhh-vc9p","title":"Mattermost Server SSRF Vulnerability via the Agents Plugin","description":"Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47700","labels":["CVE-2025-47700","GO-2025-3906"],"created_at":"2026-04-26 03:02:13.140553+00:00","updated_at":"2026-04-26 03:02:13.140553+00:00"},{"id":5762,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20260127144908-ced9a56e3988","bug_id":"osv:GHSA-rv67-7w2g-7976","title":"Mattermost fails to validate user's authentication method when processing account auth type switch","description":"Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22545","labels":["CVE-2026-22545","GO-2026-4786"],"created_at":"2026-04-26 03:02:13.129210+00:00","updated_at":"2026-04-26 03:02:13.129210+00:00"},{"id":5753,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20240209181221-674f549daf0e","bug_id":"osv:GHSA-qqc8-rv37-79q5","title":"Mattermost Server Resource Exhaustion","description":"Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.\n\n","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28053","labels":["BIT-mattermost-2024-28053","CVE-2024-28053","GO-2024-3334"],"created_at":"2026-04-26 03:02:13.100923+00:00","updated_at":"2026-04-26 03:02:13.100923+00:00"},{"id":5748,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0","fixed_version":"10.5.9","bug_id":"osv:GHSA-pwvr-grqg-7vp2","title":"Mattermost Lack of Access Control Validation","description":"Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49810","labels":["CVE-2025-49810","GO-2025-3903"],"created_at":"2026-04-26 03:02:13.087068+00:00","updated_at":"2026-04-26 03:02:13.087068+00:00"},{"id":5744,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"8.1.0","fixed_version":"8.1.12","bug_id":"osv:GHSA-p2wq-4ggp-45f3","title":"Mattermost fails to limit the size of a request path","description":"Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22091","labels":["CVE-2024-22091","GO-2024-2796"],"created_at":"2026-04-26 03:02:13.076186+00:00","updated_at":"2026-04-26 03:02:13.076186+00:00"},{"id":5741,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.4","bug_id":"osv:GHSA-mqcj-8c2g-h97q","title":"Mattermost Incorrect Authorization vulnerability","description":"Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11777","labels":["CVE-2025-11777","GO-2025-4122"],"created_at":"2026-04-26 03:02:13.067848+00:00","updated_at":"2026-04-26 03:02:13.067848+00:00"},{"id":5739,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.0.0","bug_id":"osv:GHSA-mj8v-773w-5qhj","title":"Mattermost Server allows System Admin to modify LDAP account names and email addresses","description":"An issue was discovered in Mattermost Server before 3.0.0. It has a superfluous API in which the System Admin can change the account name and e-mail address of an LDAP account.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11077","labels":["CVE-2016-11077","GO-2025-4060"],"created_at":"2026-04-26 03:02:13.062242+00:00","updated_at":"2026-04-26 03:02:13.062242+00:00"},{"id":5732,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250422131222-701ddc896a10","bug_id":"osv:GHSA-jwhw-xf5v-qgxc","title":"Mattermost allows guest users to view information about public teams they are not members of","description":"Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4128","labels":["CVE-2025-4128","GO-2025-3757"],"created_at":"2026-04-26 03:02:13.042814+00:00","updated_at":"2026-04-26 03:02:13.042814+00:00"},{"id":5725,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-202508080704-39bd251fe4f600","bug_id":"osv:GHSA-hm95-jx66-g2gh","title":"Mattermost Open Redirect vulnerability","description":"Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9084","labels":["CVE-2025-9084","GO-2025-3960"],"created_at":"2026-04-26 03:02:13.023583+00:00","updated_at":"2026-04-26 03:02:13.023583+00:00"},{"id":5700,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250716054606-3f3e3becfe1d","bug_id":"osv:GHSA-f72g-52v7-mg3p","title":"Mattermost boards plugin fails to restrict download access to files","description":"Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-9081","labels":["CVE-2025-9081","GO-2025-3978"],"created_at":"2026-04-26 03:02:12.954421+00:00","updated_at":"2026-04-26 03:02:12.954421+00:00"},{"id":5698,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251215190648-6404ab29acc0","bug_id":"osv:GHSA-cgjg-p2m2-qm4p","title":"Mattermost fails to enforce invite permissions when updating team settings","description":"Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14573","labels":["CVE-2025-14573","GO-2026-4523"],"created_at":"2026-04-26 03:02:12.948842+00:00","updated_at":"2026-04-26 03:02:12.948842+00:00"},{"id":5692,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.9","bug_id":"osv:GHSA-9r42-rhw3-2222","title":"Mattermost is vulnerable to CPU exhaustion via crafted HTTP request","description":"Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14822","labels":["CVE-2025-14822","GO-2026-4325"],"created_at":"2026-04-26 03:02:12.932433+00:00","updated_at":"2026-04-26 03:02:12.932433+00:00"},{"id":5687,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.4","bug_id":"osv:GHSA-9hh7-6558-qfp2","title":"Mattermost allows other users to determine when users had read channels via channel member objects","description":"Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55074","labels":["CVE-2025-55074","GO-2025-4133"],"created_at":"2026-04-26 03:02:12.918532+00:00","updated_at":"2026-04-26 03:02:12.918532+00:00"},{"id":5670,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.6.0-rc1","fixed_version":"9.6.1","bug_id":"osv:GHSA-5qx9-9ffj-5r8f","title":"Mattermost fails to fully validate role changes","description":"Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests.\n\n","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4198","labels":["CVE-2024-4198","GO-2024-2794"],"created_at":"2026-04-26 03:02:12.868358+00:00","updated_at":"2026-04-26 03:02:12.868358+00:00"},{"id":5664,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"9.5.0","fixed_version":"9.5.3","bug_id":"osv:GHSA-5fh7-7mw7-mmx5","title":"Mattermost allows team admins to promote guests to team admins","description":"Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.\n\n","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4195","labels":["CVE-2024-4195","GO-2024-2793"],"created_at":"2026-04-26 03:02:12.851693+00:00","updated_at":"2026-04-26 03:02:12.851693+00:00"},{"id":5660,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0","fixed_version":"10.5.8","bug_id":"osv:GHSA-4fwj-8595-wp25","title":"Mattermost has Insufficiently Protected Credentials","description":"Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6227","labels":["CVE-2025-6227","GO-2025-3818"],"created_at":"2026-04-26 03:02:12.840750+00:00","updated_at":"2026-04-26 03:02:12.840750+00:00"},{"id":5653,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.5.0","fixed_version":"10.5.9","bug_id":"osv:GHSA-4276-cm8c-788h","title":"Mattermost Fails to Properly Validate Team Role Modification","description":"Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53971","labels":["CVE-2025-53971","GO-2025-3902"],"created_at":"2026-04-26 03:02:12.821274+00:00","updated_at":"2026-04-26 03:02:12.821274+00:00"},{"id":5652,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20250820115038-ff30b84049f0","bug_id":"osv:GHSA-424h-xj87-m937","title":"Mattermost has an Incorrect Authorization vulnerability","description":"Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows guest users to add any team members to their private channels via the `/api/v4/channels/{channel_id}/members` endpoint","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-10545","labels":["CVE-2025-10545","GO-2025-4030"],"created_at":"2026-04-26 03:02:12.818255+00:00","updated_at":"2026-04-26 03:02:12.818255+00:00"},{"id":5640,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":"10.11.0","fixed_version":"10.11.10","bug_id":"osv:GHSA-2xf7-hmf6-p64j","title":"Mattermost doesn't properly validate channel membership at the time of data retrieval","description":"Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-20796","labels":["CVE-2026-20796","GO-2026-4495"],"created_at":"2026-04-26 03:02:12.782328+00:00","updated_at":"2026-04-26 03:02:12.782328+00:00"},{"id":5763,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-v2vm-hq26-5jv6","title":"Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows SQL injection during the fetching of multiple posts.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18888","labels":["CVE-2017-18888","GO-2025-4203"],"created_at":"2026-04-26 03:02:13.131962+00:00","updated_at":"2026-04-26 03:02:13.131962+00:00"},{"id":5751,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"0.0.0-20250519205859-65aec10162f6","bug_id":"osv:GHSA-qh58-9v3j-wcjc","title":"Mattermost allows authenticated users to write files to arbitrary locations","description":"Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4981","labels":["CVE-2025-4981","GO-2025-3769"],"created_at":"2026-04-26 03:02:13.095377+00:00","updated_at":"2026-04-26 03:02:13.095377+00:00"},{"id":5740,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251022210333-acda1fb5dd46","bug_id":"osv:GHSA-mp6x-97xj-9x62","title":"Mattermost fails to to verify the token used during code exchange","description":"Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12421","labels":["CVE-2025-12421","GO-2025-4170"],"created_at":"2026-04-26 03:02:13.064997+00:00","updated_at":"2026-04-26 03:02:13.064997+00:00"},{"id":5735,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.6.7-rc1","bug_id":"osv:GHSA-m462-mqw4-2c8m","title":"Mattermost Server has X.509 Improper Certificate Validation","description":"An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18911","labels":["CVE-2017-18911","GO-2026-4464"],"created_at":"2026-04-26 03:02:13.051191+00:00","updated_at":"2026-04-26 03:02:13.051191+00:00"},{"id":5726,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.6.7-0.20170420152529-0968e4079e0a","bug_id":"osv:GHSA-hxxj-8phw-74vw","title":"Mattermost Server server restarts may provide attackers with API access","description":"An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. After a restart of a server, an attacker might suddenly gain API Endpoint access.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18915","labels":["CVE-2017-18915","GO-2026-4462"],"created_at":"2026-04-26 03:02:13.026283+00:00","updated_at":"2026-04-26 03:02:13.026283+00:00"},{"id":5712,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-g78f-6xq7-rrhq","title":"Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by accessing unintended API endpoints on a user's behalf.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18885","labels":["CVE-2017-18885","GO-2025-4200"],"created_at":"2026-04-26 03:02:12.987376+00:00","updated_at":"2026-04-26 03:02:12.987376+00:00"},{"id":5684,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.10.3","bug_id":"osv:GHSA-8q4v-35v6-g8wr","title":"Mattermost Server is vulnerable CSV Injection","description":"An issue was discovered in Mattermost Server before 4.0.4 and 3.10.3. It allows CSV injection via a compliance report.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18900","labels":["CVE-2017-18900","GO-2026-4303"],"created_at":"2026-04-26 03:02:12.909890+00:00","updated_at":"2026-04-26 03:02:12.909890+00:00"},{"id":5679,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"4.1.2","bug_id":"osv:GHSA-876j-jfqf-m7j7","title":"Mattermost Server exposes OAuth personal access tokens to attackers","description":"An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18884","labels":["CVE-2017-18884","GO-2025-4197"],"created_at":"2026-04-26 03:02:12.896068+00:00","updated_at":"2026-04-26 03:02:12.896068+00:00"},{"id":5651,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"8.0.0-20251028000919-d3ed703dc833","bug_id":"osv:GHSA-3x39-62h4-f8j6","title":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication","description":"Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12419","labels":["CVE-2025-12419","GO-2025-4168"],"created_at":"2026-04-26 03:02:12.815488+00:00","updated_at":"2026-04-26 03:02:12.815488+00:00"},{"id":5642,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server","affected_version":null,"fixed_version":"3.9.1-rc1","bug_id":"osv:GHSA-34cx-hvm4-vx7j","title":"Mattermost Server password reset email requests can be sent to attacker-provided email addresses","description":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.1, and 3.9.1. A password reset request was sometimes sent to an attacker-provided e-mail address.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18908","labels":["CVE-2017-18908","GO-2026-4476"],"created_at":"2026-04-26 03:02:12.787868+00:00","updated_at":"2026-04-26 03:02:12.787868+00:00"}],"total":384,"_cache":"hit"}