{"ecosystem":"go","package":"github.com/mattermost/mattermost-server/v5","version":null,"bugs":[{"id":5636,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4786","title":"Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server","description":"Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127144908-ced9a56e3988.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rv67-7w2g-7976","labels":["CVE-2026-22545","GHSA-rv67-7w2g-7976"],"created_at":"2026-04-26 03:02:07.457507+00:00","updated_at":"2026-04-26 03:02:07.457507+00:00"},{"id":5635,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4749","title":"Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server","description":"Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107144005-c7f6efdfb035.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xpvf-6qcc-9jqc","labels":["CVE-2026-4265","GHSA-xpvf-6qcc-9jqc"],"created_at":"2026-04-26 03:02:07.454918+00:00","updated_at":"2026-04-26 03:02:07.454918+00:00"},{"id":5634,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4746","title":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server","description":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129133647-5d787969c2d5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-gqv7-j2j8-qmwq","labels":["CVE-2026-2455","GHSA-gqv7-j2j8-qmwq"],"created_at":"2026-04-26 03:02:07.452383+00:00","updated_at":"2026-04-26 03:02:07.452383+00:00"},{"id":5633,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4745","title":"Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260107142155-0481bd1fb045.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cwfj-642j-gfh4","labels":["CVE-2026-24692","GHSA-cwfj-642j-gfh4"],"created_at":"2026-04-26 03:02:07.449778+00:00","updated_at":"2026-04-26 03:02:07.449778+00:00"},{"id":5632,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4744","title":"Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server","description":"Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260130144323-5bb5261c72fa.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5mr9-crcg-8wh2","labels":["CVE-2026-21386","GHSA-5mr9-crcg-8wh2"],"created_at":"2026-04-26 03:02:07.447214+00:00","updated_at":"2026-04-26 03:02:07.447214+00:00"},{"id":5631,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4735","title":"Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server","description":"Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260105134819-cc427af41b2a.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fx49-m253-27jj","labels":["CVE-2026-2463","GHSA-fx49-m253-27jj"],"created_at":"2026-04-26 03:02:07.444678+00:00","updated_at":"2026-04-26 03:02:07.444678+00:00"},{"id":5630,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4734","title":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server","description":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127062706-c6b205f0d770.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3rhr-jr63-hwq5","labels":["CVE-2026-2578","GHSA-3rhr-jr63-hwq5"],"created_at":"2026-04-26 03:02:07.442037+00:00","updated_at":"2026-04-26 03:02:07.442037+00:00"},{"id":5629,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4733","title":"Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server","description":"Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123215601-86797c508c44.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xv2p-wchj-qjhp","labels":["CVE-2026-25780","GHSA-xv2p-wchj-qjhp"],"created_at":"2026-04-26 03:02:07.439438+00:00","updated_at":"2026-04-26 03:02:07.439438+00:00"},{"id":5628,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4732","title":"Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server","description":"Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260123211116-9efe617be8b8.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-ph22-fw5m-w2q9","labels":["CVE-2026-2457","GHSA-ph22-fw5m-w2q9"],"created_at":"2026-04-26 03:02:07.436864+00:00","updated_at":"2026-04-26 03:02:07.436864+00:00"},{"id":5627,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4731","title":"Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129164748-7201f42d955f.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-m5rv-56xx-hfc6","labels":["CVE-2026-24458","GHSA-m5rv-56xx-hfc6"],"created_at":"2026-04-26 03:02:07.434317+00:00","updated_at":"2026-04-26 03:02:07.434317+00:00"},{"id":5626,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4729","title":"Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server","description":"Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260113182106-a18b80ba4c32.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-679f-wmrg-qf57","labels":["CVE-2026-2458","GHSA-679f-wmrg-qf57"],"created_at":"2026-04-26 03:02:07.431734+00:00","updated_at":"2026-04-26 03:02:07.431734+00:00"},{"id":5625,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4727","title":"Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server","description":"Mattermost fails to bound memory allocation when processing PSD image files in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260115183946-38b413a27604.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26246","labels":["CVE-2026-26246","GHSA-44mv-jq72-gj49"],"created_at":"2026-04-26 03:02:07.429204+00:00","updated_at":"2026-04-26 03:02:07.429204+00:00"},{"id":5624,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4726","title":"Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server","description":"Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260127165411-fe3052073dc6.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-34g8-9fpp-46ch","labels":["CVE-2026-2456","GHSA-34g8-9fpp-46ch"],"created_at":"2026-04-26 03:02:07.424200+00:00","updated_at":"2026-04-26 03:02:07.424200+00:00"},{"id":5623,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.3.0-rc1+incompatible","fixed_version":"11.3.1+incompatible","bug_id":"osv:GO-2026-4725","title":"Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20260129181235-1346cf529aef.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2v3w-6g35-5f9v","labels":["CVE-2026-25783","GHSA-2v3w-6g35-5f9v"],"created_at":"2026-04-26 03:02:07.421571+00:00","updated_at":"2026-04-26 03:02:07.421571+00:00"},{"id":5622,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4524","title":"Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server","description":"Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251210191531-cd17b61de41b.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-pp9j-pf5c-659x","labels":["CVE-2025-13821","GHSA-pp9j-pf5c-659x"],"created_at":"2026-04-26 03:02:07.418987+00:00","updated_at":"2026-04-26 03:02:07.418987+00:00"},{"id":5621,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4523","title":"Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server","description":"Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251215190648-6404ab29acc0.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-cgjg-p2m2-qm4p","labels":["CVE-2025-14573","GHSA-cgjg-p2m2-qm4p"],"created_at":"2026-04-26 03:02:07.416395+00:00","updated_at":"2026-04-26 03:02:07.416395+00:00"},{"id":5620,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4521","title":"Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251209134645-761e56bb11cc.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-57cc-2pf4-mhmx","labels":["CVE-2025-14350","GHSA-57cc-2pf4-mhmx"],"created_at":"2026-04-26 03:02:07.413810+00:00","updated_at":"2026-04-26 03:02:07.413810+00:00"},{"id":5619,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2026-4520","title":"Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20251212052346-61651b0df7ea.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-3c9r-7f29-qp32","labels":["CVE-2026-0999","GHSA-3c9r-7f29-qp32"],"created_at":"2026-04-26 03:02:07.411226+00:00","updated_at":"2026-04-26 03:02:07.411226+00:00"},{"id":5618,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20251121122154-b57c297c6d7a","bug_id":"osv:GO-2026-4275","title":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira","description":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.4.1.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qvmc-92vg-6r35","labels":["CVE-2025-14273","GHSA-qvmc-92vg-6r35"],"created_at":"2026-04-26 03:02:07.408646+00:00","updated_at":"2026-04-26 03:02:07.408646+00:00"},{"id":5617,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.1.0+incompatible","fixed_version":"11.1.1+incompatible","bug_id":"osv:GO-2025-4260","title":"Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server","description":"Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vww6-79rv-3j4x","labels":["CVE-2025-64641","GHSA-vww6-79rv-3j4x"],"created_at":"2026-04-26 03:02:07.405979+00:00","updated_at":"2026-04-26 03:02:07.405979+00:00"},{"id":5616,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.1.0+incompatible","fixed_version":"11.1.1+incompatible","bug_id":"osv:GO-2025-4259","title":"Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server","description":"Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20251121122154-b57c297c6d7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fmqf-pmcm-8cx9","labels":["CVE-2025-13767","GHSA-fmqf-pmcm-8cx9"],"created_at":"2026-04-26 03:02:07.403452+00:00","updated_at":"2026-04-26 03:02:07.403452+00:00"},{"id":5615,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.0.0-alpha.1+incompatible","fixed_version":"11.0.4+incompatible","bug_id":"osv:GO-2025-4256","title":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost","description":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x3r8-2hmh-89f5","labels":["CVE-2025-13324","GHSA-x3r8-2hmh-89f5"],"created_at":"2026-04-26 03:02:07.400826+00:00","updated_at":"2026-04-26 03:02:07.400826+00:00"},{"id":5614,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0-rc1+incompatible","fixed_version":"11.1.0+incompatible","bug_id":"osv:GO-2025-4248","title":"Mattermost has missing redirect URL validation in github.com/mattermost/mattermost","description":"Mattermost has missing redirect URL validation in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.5-0.20251016131338-dad6bd7a1509.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q66g-q98c-q454","labels":["CVE-2025-62690","GHSA-q66g-q98c-q454"],"created_at":"2026-04-26 03:02:07.398242+00:00","updated_at":"2026-04-26 03:02:07.398242+00:00"},{"id":5613,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"11.0.0-alpha.1+incompatible","fixed_version":"11.1.0+incompatible","bug_id":"osv:GO-2025-4247","title":"Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost","description":"Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost before v10.11.7-0.20251106103514-3b05384dd014; github.com/mattermost/mattermost-server before v10.11.7-0.20251106103514-3b05384dd014.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jf5h-xfw4-p8gp","labels":["CVE-2025-13352","GHSA-jf5h-xfw4-p8gp"],"created_at":"2026-04-26 03:02:07.395655+00:00","updated_at":"2026-04-26 03:02:07.395655+00:00"},{"id":5612,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.5+incompatible","bug_id":"osv:GO-2025-4178","title":"Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost","description":"Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-58w6-w55x-6wq8","labels":["CVE-2025-13870","GHSA-58w6-w55x-6wq8"],"created_at":"2026-04-26 03:02:07.393021+00:00","updated_at":"2026-04-26 03:02:07.393021+00:00"},{"id":5611,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2025-4172","title":"Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost","description":"Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-p6gj-jc38-x2m7","labels":["CVE-2025-12756","GHSA-p6gj-jc38-x2m7"],"created_at":"2026-04-26 03:02:07.390432+00:00","updated_at":"2026-04-26 03:02:07.390432+00:00"},{"id":5610,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20251022210333-acda1fb5dd46","bug_id":"osv:GO-2025-4170","title":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server","description":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mp6x-97xj-9x62","labels":["CVE-2025-12421","GHSA-mp6x-97xj-9x62"],"created_at":"2026-04-26 03:02:07.387888+00:00","updated_at":"2026-04-26 03:02:07.387888+00:00"},{"id":5609,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20251015091448-abbf01b9db45","bug_id":"osv:GO-2025-4169","title":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server","description":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.3.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4g87-9x45-cx2h","labels":["CVE-2025-12559","GHSA-4g87-9x45-cx2h"],"created_at":"2026-04-26 03:02:07.385302+00:00","updated_at":"2026-04-26 03:02:07.385302+00:00"},{"id":5608,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20251028000919-d3ed703dc833","bug_id":"osv:GO-2025-4168","title":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v10.5.0 before v10.5.13, from v10.11.0 before v10.11.5, from v10.12.0 before v10.12.2, from v11.0.0 before v11.0.4.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3x39-62h4-f8j6","labels":["CVE-2025-12419","GHSA-3x39-62h4-f8j6"],"created_at":"2026-04-26 03:02:07.382710+00:00","updated_at":"2026-04-26 03:02:07.382710+00:00"},{"id":5607,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"5.1.0","bug_id":"osv:GO-2025-4146","title":"Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server","description":"Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5mh6-p63g-3mv5","labels":["CVE-2018-21258","GHSA-5mh6-p63g-3mv5"],"created_at":"2026-04-26 03:02:07.380108+00:00","updated_at":"2026-04-26 03:02:07.380108+00:00"},{"id":5606,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.4+incompatible","bug_id":"osv:GO-2025-4133","title":"Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server","description":"Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250905150616-ba86dfc5876b6.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9hh7-6558-qfp2","labels":["CVE-2025-55074","GHSA-9hh7-6558-qfp2"],"created_at":"2026-04-26 03:02:07.377520+00:00","updated_at":"2026-04-26 03:02:07.377520+00:00"},{"id":5605,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"11.0.0-alpha.1+incompatible","bug_id":"osv:GO-2025-4131","title":"Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server","description":"Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x3hx-ch7p-8xgg","labels":["CVE-2025-41436","GHSA-x3hx-ch7p-8xgg"],"created_at":"2026-04-26 03:02:07.374982+00:00","updated_at":"2026-04-26 03:02:07.374982+00:00"},{"id":5604,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.12.0+incompatible","fixed_version":"10.12.1+incompatible","bug_id":"osv:GO-2025-4130","title":"Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server","description":"Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mqp8-pgg5-7x7m","labels":["CVE-2025-11794","GHSA-mqp8-pgg5-7x7m"],"created_at":"2026-04-26 03:02:07.372441+00:00","updated_at":"2026-04-26 03:02:07.372441+00:00"},{"id":5603,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.12.0+incompatible","fixed_version":"10.12.1+incompatible","bug_id":"osv:GO-2025-4129","title":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server","description":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-ff85-qw3h-g9vp","labels":["CVE-2025-55073","GHSA-ff85-qw3h-g9vp"],"created_at":"2026-04-26 03:02:07.369926+00:00","updated_at":"2026-04-26 03:02:07.369926+00:00"},{"id":5602,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"11.1.0+incompatible","bug_id":"osv:GO-2025-4128","title":"Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server","description":"Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xpg8-8xpv-948p","labels":["CVE-2025-55070","GHSA-xpg8-8xpv-948p"],"created_at":"2026-04-26 03:02:07.367430+00:00","updated_at":"2026-04-26 03:02:07.367430+00:00"},{"id":5601,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20250815165020-c8d66301415d","bug_id":"osv:GO-2025-4126","title":"Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost","description":"Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/v5 before v5.3.2-0.20250815165020-c8d66301415d; github.com/mattermost/mattermost-server/v5 before v5.3.2-0.20250815165020-c8d66301415d.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j6gg-r5jc-47cm","labels":["CVE-2025-11776","GHSA-j6gg-r5jc-47cm"],"created_at":"2026-04-26 03:02:07.364787+00:00","updated_at":"2026-04-26 03:02:07.364787+00:00"},{"id":5600,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.4+incompatible","bug_id":"osv:GO-2025-4122","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mqcj-8c2g-h97q","labels":["CVE-2025-11777","GHSA-mqcj-8c2g-h97q"],"created_at":"2026-04-26 03:02:07.362230+00:00","updated_at":"2026-04-26 03:02:07.362230+00:00"},{"id":5599,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.3+incompatible","bug_id":"osv:GO-2025-4036","title":"Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xr3w-rmvj-f6m7","labels":["CVE-2025-54499","GHSA-xr3w-rmvj-f6m7"],"created_at":"2026-04-26 03:02:07.359699+00:00","updated_at":"2026-04-26 03:02:07.359699+00:00"},{"id":5598,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.2+incompatible","bug_id":"osv:GO-2025-4035","title":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250815100400-2d5cdc6e217e.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r6qj-894f-5hr2","labels":["CVE-2025-58075","GHSA-r6qj-894f-5hr2"],"created_at":"2026-04-26 03:02:07.357116+00:00","updated_at":"2026-04-26 03:02:07.357116+00:00"},{"id":5597,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.2+incompatible","bug_id":"osv:GO-2025-4032","title":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6q7m-p8cc-998r","labels":["CVE-2025-58073","GHSA-6q7m-p8cc-998r"],"created_at":"2026-04-26 03:02:07.354609+00:00","updated_at":"2026-04-26 03:02:07.354609+00:00"},{"id":5596,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.3+incompatible","bug_id":"osv:GO-2025-4030","title":"Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-424h-xj87-m937","labels":["CVE-2025-10545","GHSA-424h-xj87-m937"],"created_at":"2026-04-26 03:02:07.351788+00:00","updated_at":"2026-04-26 03:02:07.351788+00:00"},{"id":5595,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0+incompatible","fixed_version":"10.11.3+incompatible","bug_id":"osv:GO-2025-4029","title":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250822083415-01b95392a450.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3q4q-wqm6-hvf3","labels":["CVE-2025-41410","GHSA-3q4q-wqm6-hvf3"],"created_at":"2026-04-26 03:02:07.349198+00:00","updated_at":"2026-04-26 03:02:07.349198+00:00"},{"id":5594,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"0.0.0-20250716054606-3f3e3becfe1d","bug_id":"osv:GO-2025-3978","title":"Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards","description":"Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-f72g-52v7-mg3p","labels":["CVE-2025-9081","GHSA-f72g-52v7-mg3p"],"created_at":"2026-04-26 03:02:07.346625+00:00","updated_at":"2026-04-26 03:02:07.346625+00:00"},{"id":5593,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3977","title":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qx3f-6vq3-8j8m","labels":["CVE-2025-9079","GHSA-qx3f-6vq3-8j8m"],"created_at":"2026-04-26 03:02:07.344067+00:00","updated_at":"2026-04-26 03:02:07.344067+00:00"},{"id":5592,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.10+incompatible","bug_id":"osv:GO-2025-3960","title":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-202508080704-39bd251fe4f600.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hm95-jx66-g2gh","labels":["CVE-2025-9084","GHSA-hm95-jx66-g2gh"],"created_at":"2026-04-26 03:02:07.341536+00:00","updated_at":"2026-04-26 03:02:07.341536+00:00"},{"id":5591,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3959","title":"Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server","description":"Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9p92-x77w-9fw2","labels":["CVE-2025-9078","GHSA-9p92-x77w-9fw2"],"created_at":"2026-04-26 03:02:07.338947+00:00","updated_at":"2026-04-26 03:02:07.338947+00:00"},{"id":5590,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3958","title":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-69j8-prx2-vx98","labels":["CVE-2025-9072","GHSA-69j8-prx2-vx98"],"created_at":"2026-04-26 03:02:07.336306+00:00","updated_at":"2026-04-26 03:02:07.336306+00:00"},{"id":5589,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.2+incompatible","bug_id":"osv:GO-2025-3950","title":"Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250729073403-517ae758cd02.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3vcm-c42p-3hhf","labels":["CVE-2025-9076","GHSA-3vcm-c42p-3hhf"],"created_at":"2026-04-26 03:02:07.333689+00:00","updated_at":"2026-04-26 03:02:07.333689+00:00"},{"id":5588,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.1+incompatible","bug_id":"osv:GO-2025-3911","title":"Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server","description":"Mattermost has Potential Server Crash due to Unvalidated Import Data in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h469-4fcf-p23h","labels":["CVE-2025-8402","GHSA-h469-4fcf-p23h"],"created_at":"2026-04-26 03:02:07.331118+00:00","updated_at":"2026-04-26 03:02:07.331118+00:00"},{"id":5587,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.1+incompatible","bug_id":"osv:GO-2025-3910","title":"Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Sanitize File Names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-pj6f-rc94-gw53","labels":["CVE-2025-6465","GHSA-pj6f-rc94-gw53"],"created_at":"2026-04-26 03:02:07.328482+00:00","updated_at":"2026-04-26 03:02:07.328482+00:00"},{"id":5586,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.9.0+incompatible","fixed_version":"10.9.3+incompatible","bug_id":"osv:GO-2025-3907","title":"Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-x67c-v8jr-p29r","labels":["CVE-2025-8023","GHSA-x67c-v8jr-p29r"],"created_at":"2026-04-26 03:02:07.325890+00:00","updated_at":"2026-04-26 03:02:07.325890+00:00"},{"id":5585,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.10+incompatible","bug_id":"osv:GO-2025-3906","title":"Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server","description":"Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vqwh-5jhh-vc9p","labels":["CVE-2025-47700","GHSA-vqwh-5jhh-vc9p"],"created_at":"2026-04-26 03:02:07.323235+00:00","updated_at":"2026-04-26 03:02:07.323235+00:00"},{"id":5584,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.9.0+incompatible","fixed_version":"10.9.3+incompatible","bug_id":"osv:GO-2025-3905","title":"Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server","description":"Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qj47-w9f2-qg44","labels":["CVE-2025-47870","GHSA-qj47-w9f2-qg44"],"created_at":"2026-04-26 03:02:07.320699+00:00","updated_at":"2026-04-26 03:02:07.320699+00:00"},{"id":5583,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.10.0+incompatible","fixed_version":"10.10.1+incompatible","bug_id":"osv:GO-2025-3904","title":"Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250708173752-d6b35c41f0ae5.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q453-638c-h4mr","labels":["CVE-2025-49222","GHSA-q453-638c-h4mr"],"created_at":"2026-04-26 03:02:07.318067+00:00","updated_at":"2026-04-26 03:02:07.318067+00:00"},{"id":5582,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.9+incompatible","bug_id":"osv:GO-2025-3903","title":"Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server","description":"Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-pwvr-grqg-7vp2","labels":["CVE-2025-49810","GHSA-pwvr-grqg-7vp2"],"created_at":"2026-04-26 03:02:07.315521+00:00","updated_at":"2026-04-26 03:02:07.315521+00:00"},{"id":5581,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.9+incompatible","bug_id":"osv:GO-2025-3902","title":"Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4276-cm8c-788h","labels":["CVE-2025-53971","GHSA-4276-cm8c-788h"],"created_at":"2026-04-26 03:02:07.312940+00:00","updated_at":"2026-04-26 03:02:07.312940+00:00"},{"id":5580,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.9.0+incompatible","fixed_version":"10.9.2+incompatible","bug_id":"osv:GO-2025-3901","title":"Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.0.0-20250619095651-9dd0b3943e55.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-gq3r-5833-5532","labels":["CVE-2025-36530","GHSA-gq3r-5833-5532"],"created_at":"2026-04-26 03:02:07.310350+00:00","updated_at":"2026-04-26 03:02:07.310350+00:00"},{"id":5579,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.2+incompatible","bug_id":"osv:GO-2025-3820","title":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wvw2-3jh4-4c39","labels":["CVE-2025-6233","GHSA-wvw2-3jh4-4c39"],"created_at":"2026-04-26 03:02:07.307722+00:00","updated_at":"2026-04-26 03:02:07.307722+00:00"},{"id":5578,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.2+incompatible","bug_id":"osv:GO-2025-3819","title":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","description":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7h34-9chr-58qh","labels":["CVE-2025-6226","GHSA-7h34-9chr-58qh"],"created_at":"2026-04-26 03:02:07.305189+00:00","updated_at":"2026-04-26 03:02:07.305189+00:00"},{"id":5577,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.8+incompatible","bug_id":"osv:GO-2025-3818","title":"Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server","description":"Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4fwj-8595-wp25","labels":["CVE-2025-6227","GHSA-4fwj-8595-wp25"],"created_at":"2026-04-26 03:02:07.302597+00:00","updated_at":"2026-04-26 03:02:07.302597+00:00"},{"id":5576,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3797","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wgvp-jj4w-88hf","labels":["CVE-2025-47871","GHSA-wgvp-jj4w-88hf"],"created_at":"2026-04-26 03:02:07.300068+00:00","updated_at":"2026-04-26 03:02:07.300068+00:00"},{"id":5575,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3796","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v8fr-vxmw-6mf6","labels":["CVE-2025-46702","GHSA-v8fr-vxmw-6mf6"],"created_at":"2026-04-26 03:02:07.297488+00:00","updated_at":"2026-04-26 03:02:07.297488+00:00"},{"id":5574,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3772","title":"Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server","description":"Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qwwm-c582-82rx","labels":["CVE-2025-3227","GHSA-qwwm-c582-82rx"],"created_at":"2026-04-26 03:02:07.294937+00:00","updated_at":"2026-04-26 03:02:07.294937+00:00"},{"id":5573,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3771","title":"Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server","description":"Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4578-6gjh-f2jm","labels":["CVE-2025-3228","GHSA-4578-6gjh-f2jm"],"created_at":"2026-04-26 03:02:07.292341+00:00","updated_at":"2026-04-26 03:02:07.292341+00:00"},{"id":5572,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0+incompatible","fixed_version":"10.8.1+incompatible","bug_id":"osv:GO-2025-3769","title":"Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server","description":"Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qh58-9v3j-wcjc","labels":["CVE-2025-4981","GHSA-qh58-9v3j-wcjc"],"created_at":"2026-04-26 03:02:07.289808+00:00","updated_at":"2026-04-26 03:02:07.289808+00:00"},{"id":5571,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.5+incompatible","bug_id":"osv:GO-2025-3757","title":"Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server","description":"Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jwhw-xf5v-qgxc","labels":["CVE-2025-4128","GHSA-jwhw-xf5v-qgxc"],"created_at":"2026-04-26 03:02:07.287215+00:00","updated_at":"2026-04-26 03:02:07.287215+00:00"},{"id":5570,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.7.0+incompatible","fixed_version":"10.7.2+incompatible","bug_id":"osv:GO-2025-3756","title":"Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server","description":"Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4r67-4x4p-fprg","labels":["CVE-2025-4573","GHSA-4r67-4x4p-fprg"],"created_at":"2026-04-26 03:02:07.284697+00:00","updated_at":"2026-04-26 03:02:07.284697+00:00"},{"id":5569,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.7.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3731","title":"Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mc2f-jgj6-6cp3","labels":["CVE-2025-3230","GHSA-mc2f-jgj6-6cp3"],"created_at":"2026-04-26 03:02:07.282079+00:00","updated_at":"2026-04-26 03:02:07.282079+00:00"},{"id":5568,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.6.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3730","title":"Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hc6v-386m-93pq","labels":["CVE-2025-1792","GHSA-hc6v-386m-93pq"],"created_at":"2026-04-26 03:02:07.279539+00:00","updated_at":"2026-04-26 03:02:07.279539+00:00"},{"id":5567,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.7.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3729","title":"Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server","description":"Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8cgx-9ccj-3gwr","labels":["CVE-2025-2571","GHSA-8cgx-9ccj-3gwr"],"created_at":"2026-04-26 03:02:07.276962+00:00","updated_at":"2026-04-26 03:02:07.276962+00:00"},{"id":5566,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.6.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3728","title":"Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-86jg-35xj-3vv5","labels":["CVE-2025-3611","GHSA-86jg-35xj-3vv5"],"created_at":"2026-04-26 03:02:07.274420+00:00","updated_at":"2026-04-26 03:02:07.274420+00:00"},{"id":5565,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.7.0-rc1+incompatible","fixed_version":"10.7.1+incompatible","bug_id":"osv:GO-2025-3724","title":"Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server","description":"Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4mmr-2w8p-whcr","labels":["CVE-2025-3913","GHSA-4mmr-2w8p-whcr"],"created_at":"2026-04-26 03:02:07.271832+00:00","updated_at":"2026-04-26 03:02:07.271832+00:00"},{"id":5564,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.3+incompatible","bug_id":"osv:GO-2025-3694","title":"Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fpff-wj6m-grvr","labels":["CVE-2025-2570","GHSA-fpff-wj6m-grvr"],"created_at":"2026-04-26 03:02:07.269187+00:00","updated_at":"2026-04-26 03:02:07.269187+00:00"},{"id":5563,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.6.0+incompatible","fixed_version":"10.6.2+incompatible","bug_id":"osv:GO-2025-3693","title":"Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r7r2-m3vr-c8qc","labels":["CVE-2025-3446","GHSA-r7r2-m3vr-c8qc"],"created_at":"2026-04-26 03:02:07.266549+00:00","updated_at":"2026-04-26 03:02:07.266549+00:00"},{"id":5562,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.6.0+incompatible","fixed_version":"10.6.2+incompatible","bug_id":"osv:GO-2025-3692","title":"Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qgwx-rffp-6cx9","labels":["CVE-2025-31947","GHSA-qgwx-rffp-6cx9"],"created_at":"2026-04-26 03:02:07.264005+00:00","updated_at":"2026-04-26 03:02:07.264005+00:00"},{"id":5561,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.3+incompatible","bug_id":"osv:GO-2025-3691","title":"Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h356-3mfw-x368","labels":["CVE-2025-2527","GHSA-h356-3mfw-x368"],"created_at":"2026-04-26 03:02:07.261410+00:00","updated_at":"2026-04-26 03:02:07.261410+00:00"},{"id":5560,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"1.41.0","bug_id":"osv:GO-2025-3644","title":"Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks","description":"Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fr22-5377-f3p7","labels":["CVE-2025-41423","GHSA-fr22-5377-f3p7"],"created_at":"2026-04-26 03:02:07.256328+00:00","updated_at":"2026-04-26 03:02:07.256328+00:00"},{"id":5559,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"1.41.0","bug_id":"osv:GO-2025-3643","title":"Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks","description":"Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-689c-xq7x-xjwf","labels":["CVE-2025-35965","GHSA-689c-xq7x-xjwf"],"created_at":"2026-04-26 03:02:07.253755+00:00","updated_at":"2026-04-26 03:02:07.253755+00:00"},{"id":5558,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"1.41.0","bug_id":"osv:GO-2025-3642","title":"Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks","description":"Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3g36-gf7c-75qw","labels":["CVE-2025-41395","GHSA-3g36-gf7c-75qw"],"created_at":"2026-04-26 03:02:07.251115+00:00","updated_at":"2026-04-26 03:02:07.251115+00:00"},{"id":5557,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3623","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mj2p-v2c2-vh4v","labels":["CVE-2025-2564","GHSA-mj2p-v2c2-vh4v"],"created_at":"2026-04-26 03:02:07.246171+00:00","updated_at":"2026-04-26 03:02:07.246171+00:00"},{"id":5556,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3622","title":"Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server","description":"Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9h6j-4ffx-cm84","labels":["CVE-2025-31363","GHSA-9h6j-4ffx-cm84"],"created_at":"2026-04-26 03:02:07.243558+00:00","updated_at":"2026-04-26 03:02:07.243558+00:00"},{"id":5555,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3621","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j639-m367-75cf","labels":["CVE-2025-24839","GHSA-j639-m367-75cf"],"created_at":"2026-04-26 03:02:07.240973+00:00","updated_at":"2026-04-26 03:02:07.240973+00:00"},{"id":5554,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3620","title":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","description":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j5jw-m2ph-3jjf","labels":["CVE-2025-27538","GHSA-j5jw-m2ph-3jjf"],"created_at":"2026-04-26 03:02:07.238485+00:00","updated_at":"2026-04-26 03:02:07.238485+00:00"},{"id":5553,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3619","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h4rr-f37j-4hh7","labels":["CVE-2025-27571","GHSA-h4rr-f37j-4hh7"],"created_at":"2026-04-26 03:02:07.235912+00:00","updated_at":"2026-04-26 03:02:07.235912+00:00"},{"id":5552,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3618","title":"Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams","description":"Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-plugin-msteams before v2.1.0.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2j87-p623-8cc2","labels":["CVE-2025-27936","GHSA-2j87-p623-8cc2"],"created_at":"2026-04-26 03:02:07.233368+00:00","updated_at":"2026-04-26 03:02:07.233368+00:00"},{"id":5551,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3611","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wwhj-pw6h-f8hw","labels":["CVE-2025-2424","GHSA-wwhj-pw6h-f8hw"],"created_at":"2026-04-26 03:02:07.230831+00:00","updated_at":"2026-04-26 03:02:07.230831+00:00"},{"id":5550,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3610","title":"Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server","description":"Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6rqh-8465-2xcw","labels":["CVE-2025-2475","GHSA-6rqh-8465-2xcw"],"created_at":"2026-04-26 03:02:07.228238+00:00","updated_at":"2026-04-26 03:02:07.228238+00:00"},{"id":5549,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.2+incompatible","bug_id":"osv:GO-2025-3609","title":"Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-322v-vh2g-qvpv","labels":["CVE-2025-32093","GHSA-322v-vh2g-qvpv"],"created_at":"2026-04-26 03:02:07.225622+00:00","updated_at":"2026-04-26 03:02:07.225622+00:00"},{"id":5548,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.11.0+incompatible","fixed_version":"9.11.9+incompatible","bug_id":"osv:GO-2025-3604","title":"Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Enforce Proper Access Controls on `/api/v4/audits` Endpoint in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xfq9-hh5x-xfq9","labels":["CVE-2025-24866","GHSA-xfq9-hh5x-xfq9"],"created_at":"2026-04-26 03:02:07.223129+00:00","updated_at":"2026-04-26 03:02:07.223129+00:00"},{"id":5547,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.4.0+incompatible","fixed_version":"10.4.3+incompatible","bug_id":"osv:GO-2025-3556","title":"Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server","description":"Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-h5v9-xw2g-7hrq","labels":["BIT-mattermost-2025-27933","CVE-2025-27933","GHSA-h5v9-xw2g-7hrq"],"created_at":"2026-04-26 03:02:07.220545+00:00","updated_at":"2026-04-26 03:02:07.220545+00:00"},{"id":5546,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.11.0+incompatible","fixed_version":"9.11.9+incompatible","bug_id":"osv:GO-2025-3555","title":"Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server","description":"Mattermost fail to prompt for explicit approval before adding a team admin to a private channel in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cw7q-5cgc-h3h9","labels":["BIT-mattermost-2025-27715","CVE-2025-27715","GHSA-cw7q-5cgc-h3h9"],"created_at":"2026-04-26 03:02:07.218001+00:00","updated_at":"2026-04-26 03:02:07.218001+00:00"},{"id":5545,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3552","title":"Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Restrict Bookmark Creation and Updates in Archived Channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rp74-x43m-cpw3","labels":["BIT-mattermost-2025-24920","CVE-2025-24920","GHSA-rp74-x43m-cpw3"],"created_at":"2026-04-26 03:02:07.215346+00:00","updated_at":"2026-04-26 03:02:07.215346+00:00"},{"id":5544,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3551","title":"Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-72qv-j8vr-xvfv","labels":["BIT-mattermost-2025-25068","CVE-2025-25068","GHSA-72qv-j8vr-xvfv"],"created_at":"2026-04-26 03:02:07.212748+00:00","updated_at":"2026-04-26 03:02:07.212748+00:00"},{"id":5543,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3550","title":"Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Restrict Command Execution in Archived Channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4v65-xqcj-wpgg","labels":["BIT-mattermost-2025-25274","CVE-2025-25274","GHSA-4v65-xqcj-wpgg"],"created_at":"2026-04-26 03:02:07.210126+00:00","updated_at":"2026-04-26 03:02:07.210126+00:00"},{"id":5542,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0+incompatible","fixed_version":"10.5.1+incompatible","bug_id":"osv:GO-2025-3549","title":"Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Enforce Certain Search APIs in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3gpx-p63p-pr5r","labels":["BIT-mattermost-2025-30179","CVE-2025-30179","GHSA-3gpx-p63p-pr5r"],"created_at":"2026-04-26 03:02:07.207526+00:00","updated_at":"2026-04-26 03:02:07.207526+00:00"},{"id":5541,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.11.0+incompatible","fixed_version":"9.11.9+incompatible","bug_id":"osv:GO-2025-3534","title":"Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server","description":"Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fqrq-xmxj-v47x","labels":["CVE-2025-1472","GHSA-fqrq-xmxj-v47x"],"created_at":"2026-04-26 03:02:07.204988+00:00","updated_at":"2026-04-26 03:02:07.204988+00:00"},{"id":5540,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3483","title":"Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server","description":"Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v469-7wp6-7cvp","labels":["CVE-2025-20051","GHSA-v469-7wp6-7cvp"],"created_at":"2026-04-26 03:02:07.202494+00:00","updated_at":"2026-04-26 03:02:07.202494+00:00"},{"id":5539,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3482","title":"Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server","description":"Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-rhvr-6w8c-6v7w","labels":["CVE-2025-1412","GHSA-rhvr-6w8c-6v7w"],"created_at":"2026-04-26 03:02:07.199924+00:00","updated_at":"2026-04-26 03:02:07.199924+00:00"},{"id":5538,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3481","title":"Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server","description":"Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q8p2-2hwc-jw64","labels":["CVE-2025-24526","GHSA-q8p2-2hwc-jw64"],"created_at":"2026-04-26 03:02:07.197371+00:00","updated_at":"2026-04-26 03:02:07.197371+00:00"},{"id":5537,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.4.0-rc1+incompatible","fixed_version":"10.4.2+incompatible","bug_id":"osv:GO-2025-3480","title":"Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server","description":"Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5fwx-p6xh-vjrh","labels":["CVE-2025-25279","GHSA-5fwx-p6xh-vjrh"],"created_at":"2026-04-26 03:02:07.194762+00:00","updated_at":"2026-04-26 03:02:07.194762+00:00"},{"id":5536,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3407","title":"Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server","description":"Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-w6xh-c82w-h997","labels":["CVE-2025-20621","GHSA-w6xh-c82w-h997"],"created_at":"2026-04-26 03:02:07.189721+00:00","updated_at":"2026-04-26 03:02:07.189721+00:00"},{"id":5535,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3394","title":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-45v9-w9fh-33j6","labels":["CVE-2025-20088","GHSA-45v9-w9fh-33j6"],"created_at":"2026-04-26 03:02:07.187024+00:00","updated_at":"2026-04-26 03:02:07.187024+00:00"},{"id":5534,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3393","title":"Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-8j3q-gc9x-7972","labels":["CVE-2025-21088","GHSA-8j3q-gc9x-7972"],"created_at":"2026-04-26 03:02:07.184334+00:00","updated_at":"2026-04-26 03:02:07.184334+00:00"},{"id":5533,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3392","title":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5m7j-6gc4-ff5g","labels":["CVE-2025-20086","GHSA-5m7j-6gc4-ff5g"],"created_at":"2026-04-26 03:02:07.181803+00:00","updated_at":"2026-04-26 03:02:07.181803+00:00"},{"id":5532,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"10.3.0+incompatible","bug_id":"osv:GO-2025-3380","title":"Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server","description":"Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: .","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7rgp-4j56-fm79","labels":["CVE-2025-22445","GHSA-7rgp-4j56-fm79"],"created_at":"2026-04-26 03:02:07.179168+00:00","updated_at":"2026-04-26 03:02:07.179168+00:00"},{"id":5531,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.2.0+incompatible","fixed_version":"10.2.1+incompatible","bug_id":"osv:GO-2025-3379","title":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server from v9.11.0 before v9.11.16.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2549-xh72-qrpm","labels":["CVE-2025-20033","GHSA-2549-xh72-qrpm"],"created_at":"2026-04-26 03:02:07.176574+00:00","updated_at":"2026-04-26 03:02:07.176574+00:00"},{"id":5530,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.11.0+incompatible","fixed_version":null,"bug_id":"osv:GO-2025-3377","title":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v9.11.16.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-q8fg-cp3q-5jwm","labels":["CVE-2025-22449","GHSA-q8fg-cp3q-5jwm"],"created_at":"2026-04-26 03:02:07.174031+00:00","updated_at":"2026-04-26 03:02:07.174031+00:00"},{"id":5529,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.1.0+incompatible","fixed_version":"10.1.3+incompatible","bug_id":"osv:GO-2024-3340","title":"Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-v647-h8jj-fw5r","labels":["CVE-2024-54682","GHSA-v647-h8jj-fw5r"],"created_at":"2026-04-26 03:02:07.168693+00:00","updated_at":"2026-04-26 03:02:07.168693+00:00"},{"id":5528,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.1.0+incompatible","fixed_version":"10.1.3+incompatible","bug_id":"osv:GO-2024-3338","title":"Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-826h-p4c3-477p","labels":["CVE-2024-48872","GHSA-826h-p4c3-477p"],"created_at":"2026-04-26 03:02:07.166101+00:00","updated_at":"2026-04-26 03:02:07.166101+00:00"},{"id":5527,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.1.0+incompatible","fixed_version":"10.1.3+incompatible","bug_id":"osv:GO-2024-3337","title":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-69pr-78gv-7c6h","labels":["CVE-2024-54083","GHSA-69pr-78gv-7c6h"],"created_at":"2026-04-26 03:02:07.163563+00:00","updated_at":"2026-04-26 03:02:07.163563+00:00"},{"id":5526,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"0.0.0-20240209181221-674f549daf0e","bug_id":"osv:GO-2024-3334","title":"Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server","description":"Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qqc8-rv37-79q5","labels":["BIT-mattermost-2024-28053","CVE-2024-28053","GHSA-qqc8-rv37-79q5"],"created_at":"2026-04-26 03:02:07.160971+00:00","updated_at":"2026-04-26 03:02:07.160971+00:00"},{"id":5525,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20240926115259-20ed58906adc","bug_id":"osv:GO-2024-3235","title":"Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server","description":"Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50052","labels":["CVE-2024-50052","GHSA-g376-m3h3-mj4r"],"created_at":"2026-04-26 03:02:07.158374+00:00","updated_at":"2026-04-26 03:02:07.158374+00:00"},{"id":5524,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20240926115259-20ed58906adc","bug_id":"osv:GO-2024-3234","title":"Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server","description":"Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-762v-rq7q-ff97","labels":["CVE-2024-47401","GHSA-762v-rq7q-ff97"],"created_at":"2026-04-26 03:02:07.155795+00:00","updated_at":"2026-04-26 03:02:07.155795+00:00"},{"id":5523,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20240926115259-20ed58906adc","bug_id":"osv:GO-2024-3233","title":"Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server","description":"Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-762g-9p7f-mrww","labels":["BIT-mattermost-2024-46872","CVE-2024-46872","GHSA-762g-9p7f-mrww"],"created_at":"2026-04-26 03:02:07.153165+00:00","updated_at":"2026-04-26 03:02:07.153165+00:00"},{"id":5522,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20240813135334-8f3a13122f55","bug_id":"osv:GO-2024-3232","title":"Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server","description":"Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6mvp-gh77-7vwh","labels":["CVE-2024-10241","GHSA-6mvp-gh77-7vwh"],"created_at":"2026-04-26 03:02:07.150575+00:00","updated_at":"2026-04-26 03:02:07.150575+00:00"},{"id":5521,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20240821220019-0d6b1070a26f","bug_id":"osv:GO-2024-3227","title":"Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server","description":"Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hm57-h27x-599c","labels":["CVE-2024-10214","GHSA-hm57-h27x-599c"],"created_at":"2026-04-26 03:02:07.148035+00:00","updated_at":"2026-04-26 03:02:07.148035+00:00"},{"id":5520,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20240806094731-69a8b3df0f9f","bug_id":"osv:GO-2024-3164","title":"Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server","description":"Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-59hf-mpf8-pqjh","labels":["BIT-mattermost-2024-47003","CVE-2024-47003","GHSA-59hf-mpf8-pqjh"],"created_at":"2026-04-26 03:02:07.145403+00:00","updated_at":"2026-04-26 03:02:07.145403+00:00"},{"id":5519,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3097","title":"Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hrf9-rm95-fpf3","labels":["CVE-2024-40886","GHSA-hrf9-rm95-fpf3"],"created_at":"2026-04-26 03:02:07.142722+00:00","updated_at":"2026-04-26 03:02:07.142722+00:00"},{"id":5518,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3096","title":"Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server","description":"Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-c6vp-jjgv-38wj","labels":["CVE-2024-39836","GHSA-c6vp-jjgv-38wj"],"created_at":"2026-04-26 03:02:07.140114+00:00","updated_at":"2026-04-26 03:02:07.140114+00:00"},{"id":5517,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3094","title":"Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server","description":"Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-5263-pm2h-m7hw","labels":["CVE-2024-8071","GHSA-5263-pm2h-m7hw"],"created_at":"2026-04-26 03:02:07.137534+00:00","updated_at":"2026-04-26 03:02:07.137534+00:00"},{"id":5516,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3093","title":"Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server","description":"Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-4ww8-fprq-cq34","labels":["CVE-2024-32939","GHSA-4ww8-fprq-cq34"],"created_at":"2026-04-26 03:02:07.134944+00:00","updated_at":"2026-04-26 03:02:07.134944+00:00"},{"id":5515,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3092","title":"Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server","description":"Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q22q-2rrf-m27p","labels":["CVE-2024-39777","GHSA-q22q-2rrf-m27p"],"created_at":"2026-04-26 03:02:07.132391+00:00","updated_at":"2026-04-26 03:02:07.132391+00:00"},{"id":5514,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3091","title":"Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server","description":"Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fxq9-6946-34q7","labels":["BIT-mattermost-2024-42497","CVE-2024-42497","GHSA-fxq9-6946-34q7"],"created_at":"2026-04-26 03:02:07.129809+00:00","updated_at":"2026-04-26 03:02:07.129809+00:00"},{"id":5513,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3090","title":"Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server","description":"Mattermost allows team admin user without \"Add Team Members\" permission to disable invite URL in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3j95-8g47-fpwh","labels":["BIT-mattermost-2024-40884","CVE-2024-40884","GHSA-3j95-8g47-fpwh"],"created_at":"2026-04-26 03:02:07.127216+00:00","updated_at":"2026-04-26 03:02:07.127216+00:00"},{"id":5512,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.10.0+incompatible","fixed_version":"9.10.1+incompatible","bug_id":"osv:GO-2024-3089","title":"Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server","description":"Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-2jhx-w3vc-w59g","labels":["BIT-mattermost-2024-43780","CVE-2024-43780","GHSA-2jhx-w3vc-w59g"],"created_at":"2026-04-26 03:02:07.124571+00:00","updated_at":"2026-04-26 03:02:07.124571+00:00"},{"id":5511,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3032","title":"Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server","description":"Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vvpg-55p7-5h8w","labels":["BIT-mattermost-2024-39837","CVE-2024-39837","GHSA-vvpg-55p7-5h8w"],"created_at":"2026-04-26 03:02:07.121964+00:00","updated_at":"2026-04-26 03:02:07.121964+00:00"},{"id":5510,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3031","title":"Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server","description":"Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jr9x-3x7m-4j75","labels":["BIT-mattermost-2024-41162","CVE-2024-41162","GHSA-jr9x-3x7m-4j75"],"created_at":"2026-04-26 03:02:07.119310+00:00","updated_at":"2026-04-26 03:02:07.119310+00:00"},{"id":5509,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3030","title":"Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server","description":"Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-jq3g-xqpx-37x3","labels":["CVE-2024-29977","GHSA-jq3g-xqpx-37x3"],"created_at":"2026-04-26 03:02:07.116683+00:00","updated_at":"2026-04-26 03:02:07.116683+00:00"},{"id":5508,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3028","title":"Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server","description":"Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-cmc8-222c-vqp9","labels":["CVE-2024-39274","GHSA-cmc8-222c-vqp9"],"created_at":"2026-04-26 03:02:07.114075+00:00","updated_at":"2026-04-26 03:02:07.114075+00:00"},{"id":5507,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3025","title":"Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server","description":"Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-56mc-f9w7-2wxq","labels":["CVE-2024-36492","GHSA-56mc-f9w7-2wxq"],"created_at":"2026-04-26 03:02:07.111455+00:00","updated_at":"2026-04-26 03:02:07.111455+00:00"},{"id":5506,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3024","title":"Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server","description":"Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vg6q-84p8-qvqh","labels":["BIT-mattermost-2024-39839","CVE-2024-39839","GHSA-vg6q-84p8-qvqh"],"created_at":"2026-04-26 03:02:07.108849+00:00","updated_at":"2026-04-26 03:02:07.108849+00:00"},{"id":5505,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3023","title":"Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server","description":"Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vg67-chm7-8m3j","labels":["BIT-mattermost-2024-41144","CVE-2024-41144","GHSA-vg67-chm7-8m3j"],"created_at":"2026-04-26 03:02:07.106267+00:00","updated_at":"2026-04-26 03:02:07.106267+00:00"},{"id":5504,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3022","title":"Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server","description":"Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-9fpw-c9x7-cv3j","labels":["BIT-mattermost-2024-41926","CVE-2024-41926","GHSA-9fpw-c9x7-cv3j"],"created_at":"2026-04-26 03:02:07.103685+00:00","updated_at":"2026-04-26 03:02:07.103685+00:00"},{"id":5503,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.9.0+incompatible","fixed_version":"9.9.1+incompatible","bug_id":"osv:GO-2024-3020","title":"Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server","description":"Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-762m-4cx6-6mf4","labels":["CVE-2024-39832","GHSA-762m-4cx6-6mf4"],"created_at":"2026-04-26 03:02:07.101088+00:00","updated_at":"2026-04-26 03:02:07.101088+00:00"},{"id":5502,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2707","title":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server","description":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-xp9j-8p68-9q93","labels":["BIT-mattermost-2024-21848","CVE-2024-21848","GHSA-xp9j-8p68-9q93"],"created_at":"2026-04-26 03:02:07.098542+00:00","updated_at":"2026-04-26 03:02:07.098542+00:00"},{"id":5501,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.5.0+incompatible","fixed_version":"9.5.2+incompatible","bug_id":"osv:GO-2024-2706","title":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server","description":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-w67v-ph4x-f48q","labels":["BIT-mattermost-2024-29221","CVE-2024-29221","GHSA-w67v-ph4x-f48q"],"created_at":"2026-04-26 03:02:07.095927+00:00","updated_at":"2026-04-26 03:02:07.095927+00:00"},{"id":5500,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.5.0+incompatible","fixed_version":"9.5.2+incompatible","bug_id":"osv:GO-2024-2696","title":"Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server","description":"Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-wp43-vprh-c3w5","labels":["BIT-mattermost-2024-2447","CVE-2024-2447","GHSA-wp43-vprh-c3w5"],"created_at":"2026-04-26 03:02:07.093425+00:00","updated_at":"2026-04-26 03:02:07.093425+00:00"},{"id":5499,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.5.0+incompatible","fixed_version":"9.5.2+incompatible","bug_id":"osv:GO-2024-2695","title":"Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server","description":"Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-mcw6-3256-64gg","labels":["BIT-mattermost-2024-28949","CVE-2024-28949","GHSA-mcw6-3256-64gg"],"created_at":"2026-04-26 03:02:07.090789+00:00","updated_at":"2026-04-26 03:02:07.090789+00:00"},{"id":5498,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.0.0+incompatible","fixed_version":"9.4.0+incompatible","bug_id":"osv:GO-2024-2635","title":"Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server","description":"Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r4fm-g65h-cr54","labels":["BIT-mattermost-2024-1952","CVE-2024-1952","GHSA-r4fm-g65h-cr54"],"created_at":"2026-04-26 03:02:07.088163+00:00","updated_at":"2026-04-26 03:02:07.088163+00:00"},{"id":5497,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.0.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2595","title":"Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server","description":"Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-xgxj-j98c-59rv","labels":["CVE-2024-23488","GHSA-xgxj-j98c-59rv"],"created_at":"2026-04-26 03:02:07.085491+00:00","updated_at":"2026-04-26 03:02:07.085491+00:00"},{"id":5496,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.4.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2594","title":"Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server","description":"Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-vm9m-57jr-4pxh","labels":["BIT-mattermost-2024-1953","CVE-2024-1953","GHSA-vm9m-57jr-4pxh"],"created_at":"2026-04-26 03:02:07.082893+00:00","updated_at":"2026-04-26 03:02:07.082893+00:00"},{"id":5495,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.4.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2593","title":"Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server","description":"Mattermost fails to check the \"invite_guest\" permission in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-pfw6-5rx3-xh3c","labels":["CVE-2024-1888","GHSA-pfw6-5rx3-xh3c"],"created_at":"2026-04-26 03:02:07.080280+00:00","updated_at":"2026-04-26 03:02:07.080280+00:00"},{"id":5494,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.3.0+incompatible","fixed_version":"9.3.1+incompatible","bug_id":"osv:GO-2024-2592","title":"Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server","description":"Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hwjf-4667-gqwx","labels":["BIT-mattermost-2024-1942","CVE-2024-1942","GHSA-hwjf-4667-gqwx"],"created_at":"2026-04-26 03:02:07.077702+00:00","updated_at":"2026-04-26 03:02:07.077702+00:00"},{"id":5493,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.3.0+incompatible","fixed_version":"9.3.1+incompatible","bug_id":"osv:GO-2024-2591","title":"Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server","description":"Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fx48-xv6q-6gp3","labels":["CVE-2024-1887","GHSA-fx48-xv6q-6gp3"],"created_at":"2026-04-26 03:02:07.075050+00:00","updated_at":"2026-04-26 03:02:07.075050+00:00"},{"id":5492,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.4.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2590","title":"Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server","description":"Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7v3v-984v-h74r","labels":["BIT-mattermost-2024-23493","CVE-2024-23493","GHSA-7v3v-984v-h74r"],"created_at":"2026-04-26 03:02:07.072527+00:00","updated_at":"2026-04-26 03:02:07.072527+00:00"},{"id":5491,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.3.0+incompatible","fixed_version":"9.3.1+incompatible","bug_id":"osv:GO-2024-2589","title":"Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server","description":"Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-6mx3-9qfh-77gj","labels":["BIT-mattermost-2024-24988","CVE-2024-24988","GHSA-6mx3-9qfh-77gj"],"created_at":"2026-04-26 03:02:07.069969+00:00","updated_at":"2026-04-26 03:02:07.069969+00:00"},{"id":5490,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.0.0+incompatible","fixed_version":"9.4.2+incompatible","bug_id":"osv:GO-2024-2588","title":"Mattermost race condition in github.com/mattermost/mattermost-server","description":"Mattermost race condition in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-3g35-v53r-gpxc","labels":["BIT-mattermost-2024-1949","CVE-2024-1949","GHSA-3g35-v53r-gpxc"],"created_at":"2026-04-26 03:02:07.067392+00:00","updated_at":"2026-04-26 03:02:07.067392+00:00"},{"id":5489,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.0.0+incompatible","fixed_version":"9.3.0+incompatible","bug_id":"osv:GO-2024-2566","title":"Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server","description":"Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-r833-w756-h5p2","labels":["BIT-mattermost-2024-24776","CVE-2024-24776","GHSA-r833-w756-h5p2"],"created_at":"2026-04-26 03:02:07.064752+00:00","updated_at":"2026-04-26 03:02:07.064752+00:00"},{"id":5488,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.2.0+incompatible","fixed_version":"9.2.4+incompatible","bug_id":"osv:GO-2024-2541","title":"Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server","description":"Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-32h7-7j94-8fc2","labels":["BIT-mattermost-2024-1402","CVE-2024-1402","GHSA-32h7-7j94-8fc2"],"created_at":"2026-04-26 03:02:07.062160+00:00","updated_at":"2026-04-26 03:02:07.062160+00:00"},{"id":5487,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2450","title":"Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-w88v-pjr8-cmv2","labels":["BIT-mattermost-2023-47858","CVE-2023-47858","GHSA-w88v-pjr8-cmv2"],"created_at":"2026-04-26 03:02:07.059473+00:00","updated_at":"2026-04-26 03:02:07.059473+00:00"},{"id":5486,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.1.7+incompatible","bug_id":"osv:GO-2024-2448","title":"Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server","description":"Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-q7rx-w656-fwmv","labels":["BIT-mattermost-2023-48732","CVE-2023-48732","GHSA-q7rx-w656-fwmv"],"created_at":"2026-04-26 03:02:07.056894+00:00","updated_at":"2026-04-26 03:02:07.056894+00:00"},{"id":5485,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2446","title":"Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server","description":"Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-h3gq-j7p9-x3p4","labels":["BIT-mattermost-2023-7113","CVE-2023-7113","GHSA-h3gq-j7p9-x3p4"],"created_at":"2026-04-26 03:02:07.054261+00:00","updated_at":"2026-04-26 03:02:07.054261+00:00"},{"id":5484,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":null,"bug_id":"osv:GO-2024-2444","title":"Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server","description":"Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server.\n\nNOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.\n\n(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)\n\nThe additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.","severity":"medium","status":"open","source":"osv","source_url":"https://github.com/advisories/GHSA-9w97-9rqx-8v4j","labels":["BIT-mattermost-2023-50333","CVE-2023-50333","GHSA-9w97-9rqx-8v4j"],"created_at":"2026-04-26 03:02:07.051730+00:00","updated_at":"2026-04-26 03:02:07.051730+00:00"},{"id":5483,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"5.20.0","bug_id":"osv:GO-2023-1939","title":"Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost","description":"Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-j2h2-cvwh-cr64","labels":["BIT-mattermost-2020-14457","CVE-2020-14457","GHSA-j2h2-cvwh-cr64"],"created_at":"2026-04-26 03:02:07.049185+00:00","updated_at":"2026-04-26 03:02:07.049185+00:00"},{"id":5482,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"5.37.9","bug_id":"osv:GO-2022-0616","title":"Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server","description":"Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-qggc-pj29-j27m","labels":["BIT-mattermost-2022-1332","CVE-2022-1332","GHSA-qggc-pj29-j27m"],"created_at":"2026-04-26 03:02:07.046600+00:00","updated_at":"2026-04-26 03:02:07.046600+00:00"},{"id":5481,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"5.39.0","bug_id":"osv:GO-2022-0604","title":"Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server","description":"Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-hv5f-73mr-7vvj","labels":["CVE-2021-37860","GHSA-hv5f-73mr-7vvj"],"created_at":"2026-04-26 03:02:07.044070+00:00","updated_at":"2026-04-26 03:02:07.044070+00:00"},{"id":5480,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"6.5.0","bug_id":"osv:GO-2022-0599","title":"Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server","description":"Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-fxwj-v664-wv5g","labels":["BIT-mattermost-2022-1385","CVE-2022-1385","GHSA-fxwj-v664-wv5g"],"created_at":"2026-04-26 03:02:07.041530+00:00","updated_at":"2026-04-26 03:02:07.041530+00:00"},{"id":5479,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"6.4.2","bug_id":"osv:GO-2022-0595","title":"Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server","description":"Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-f37q-q7p2-ccfc","labels":["BIT-mattermost-2022-1337","CVE-2022-1337","GHSA-f37q-q7p2-ccfc"],"created_at":"2026-04-26 03:02:07.038988+00:00","updated_at":"2026-04-26 03:02:07.038988+00:00"},{"id":5478,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"6.4.0","fixed_version":"6.5.0","bug_id":"osv:GO-2022-0576","title":"Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server","description":"Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-32rp-q37p-jg6w","labels":["BIT-mattermost-2022-1384","CVE-2022-1384","GHSA-32rp-q37p-jg6w"],"created_at":"2026-04-26 03:02:07.033981+00:00","updated_at":"2026-04-26 03:02:07.033981+00:00"},{"id":5477,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"6.7.0","fixed_version":"6.7.1","bug_id":"osv:GO-2022-0540","title":"Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server","description":"Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/advisories/GHSA-7ggc-5r84-xf54","labels":["BIT-mattermost-2022-2401","CVE-2022-2401","GHSA-7ggc-5r84-xf54"],"created_at":"2026-04-26 03:02:07.031213+00:00","updated_at":"2026-04-26 03:02:07.031213+00:00"},{"id":5476,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-x67c-v8jr-p29r","title":"Mattermost Fails to Sanitize Path Traversal Sequences","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8023","labels":["CVE-2025-8023","GO-2025-3907"],"created_at":"2026-04-26 03:02:07.028674+00:00","updated_at":"2026-04-26 03:02:07.028674+00:00"},{"id":5474,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"5.4.0-rc1","fixed_version":"7.8.12","bug_id":"osv:GHSA-r67m-mf7v-qp7j","title":"Mattermost password hash disclosure vulnerability","description":"Mattermost fails to properly sanitize the user object when updating the username, resulting in the password hash being included in the response body. ","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-5968","labels":["CVE-2023-5968"],"created_at":"2026-04-26 03:02:07.023562+00:00","updated_at":"2026-04-26 03:02:07.023562+00:00"},{"id":5472,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-qj47-w9f2-qg44","title":"Mattermost Does Not Sanitize the Team Invite ID","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the  POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team’s invite id.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47870","labels":["CVE-2025-47870","GO-2025-3905"],"created_at":"2026-04-26 03:02:07.018377+00:00","updated_at":"2026-04-26 03:02:07.018377+00:00"},{"id":5471,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"6.4.0","fixed_version":"6.4.2","bug_id":"osv:GHSA-qggc-pj29-j27m","title":"Improper Privilege Management in Mattermost","description":"One of the API in Mattermost version 6.4.1 and earlier fails to properly protect the permissions, which allows the authenticated members with restricted custom admin role to bypass the restrictions and view the server logs and server config.json file contents. Per the Mattermost security updates page, versions 6.4.2, 6.3.5, 6.2.5, and 5.37.9 contain patches for this issue","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1332","labels":["BIT-mattermost-2022-1332","CVE-2022-1332","GO-2022-0616"],"created_at":"2026-04-26 03:02:07.015859+00:00","updated_at":"2026-04-26 03:02:07.015859+00:00"},{"id":5470,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-q453-638c-h4mr","title":"Mattermost Fails to Validate Remote Cluster Upload Sessions","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49222","labels":["CVE-2025-49222","GO-2025-3904"],"created_at":"2026-04-26 03:02:07.013255+00:00","updated_at":"2026-04-26 03:02:07.013255+00:00"},{"id":5468,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"8.0.0-20250815165020-c8d66301415d","bug_id":"osv:GHSA-j6gg-r5jc-47cm","title":"Mattermost fails to properly restrict access to archived channel search API","description":"Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public channels via the `/api/v4/teams/{team_id}/channels/search_archived` endpoint","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11776","labels":["CVE-2025-11776","GO-2025-4126"],"created_at":"2026-04-26 03:02:07.008118+00:00","updated_at":"2026-04-26 03:02:07.008118+00:00"},{"id":5467,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"5.20.0","bug_id":"osv:GHSA-j2h2-cvwh-cr64","title":"Mattermost Server Sensitive Data Exposure","description":"An issue was discovered in Mattermost Server before 5.20.0. Non-members can receive broadcasted team details via the `update_team` WebSocket event, aka MMSA-2020-0012.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14457","labels":["BIT-mattermost-2020-14457","CVE-2020-14457","GO-2023-1939"],"created_at":"2026-04-26 03:02:07.005569+00:00","updated_at":"2026-04-26 03:02:07.005569+00:00"},{"id":5466,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"5.39.0","bug_id":"osv:GHSA-hv5f-73mr-7vvj","title":"Cross-site Scripting in Mattermost","description":"Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37860","labels":["CVE-2021-37860","GO-2022-0604"],"created_at":"2026-04-26 03:02:07.002928+00:00","updated_at":"2026-04-26 03:02:07.002928+00:00"},{"id":5465,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.8.0","fixed_version":"10.8.4","bug_id":"osv:GHSA-h469-4fcf-p23h","title":"Mattermost has Potential Server Crash due to Unvalidated Import Data","description":"Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8402","labels":["CVE-2025-8402","GO-2025-3911"],"created_at":"2026-04-26 03:02:07.000347+00:00","updated_at":"2026-04-26 03:02:07.000347+00:00"},{"id":5464,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.9.0","fixed_version":"10.9.2","bug_id":"osv:GHSA-gq3r-5833-5532","title":"Mattermost Fails to Validate File Paths","description":"Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-36530","labels":["CVE-2025-36530","GO-2025-3901"],"created_at":"2026-04-26 03:02:06.997813+00:00","updated_at":"2026-04-26 03:02:06.997813+00:00"},{"id":5463,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"3.3.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-9hj7-v56g-rhf6","title":"Mattermost fails to properly authentication inviter's permissions to private channel","description":"When processing an email invite to a private channel on a team, Mattermost fails to validate the inviter's permission to that channel, allowing an attacker to invite themselves to a private channel.\n\n[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00137","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1774","labels":["BIT-mattermost-2023-1774","CVE-2023-1774"],"created_at":"2026-04-26 03:02:06.995222+00:00","updated_at":"2026-04-26 03:02:06.995222+00:00"},{"id":5462,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"3.3.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-8jhh-3jf2-pfwr","title":"Mattermost vulnerable to information disclosure","description":"When running in a High Availability configuration, Mattermost fails to sanitize some of the `user_updated` and` post_deleted` events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websocket clients.\n\n[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00138","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1775","labels":["BIT-mattermost-2023-1775","CVE-2023-1775"],"created_at":"2026-04-26 03:02:06.992581+00:00","updated_at":"2026-04-26 03:02:06.992581+00:00"},{"id":5461,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"6.0.0","fixed_version":"7.1.6","bug_id":"osv:GHSA-63f2-6959-2pxj","title":"Mattermost vulnerable to cross-site scripting (XSS)","description":"Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. \n\n[Issue Identifier](https://mattermost.com/security-updates/): MMSA-2023-00139","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-1776","labels":["BIT-mattermost-2023-1776","CVE-2023-1776"],"created_at":"2026-04-26 03:02:06.990007+00:00","updated_at":"2026-04-26 03:02:06.990007+00:00"},{"id":5475,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"9.5.0","fixed_version":"9.5.7","bug_id":"osv:GHSA-vvpg-55p7-5h8w","title":"Mattermost did not properly restrict channel creation","description":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39837","labels":["BIT-mattermost-2024-39837","CVE-2024-39837","GO-2024-3032"],"created_at":"2026-04-26 03:02:07.026094+00:00","updated_at":"2026-04-26 03:02:07.026094+00:00"},{"id":5473,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":null,"fixed_version":"0.0.0-20240209181221-674f549daf0e","bug_id":"osv:GHSA-qqc8-rv37-79q5","title":"Mattermost Server Resource Exhaustion","description":"Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.\n\n","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28053","labels":["BIT-mattermost-2024-28053","CVE-2024-28053","GO-2024-3334"],"created_at":"2026-04-26 03:02:07.020969+00:00","updated_at":"2026-04-26 03:02:07.020969+00:00"},{"id":5469,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.11.0","fixed_version":"10.11.4","bug_id":"osv:GHSA-mqcj-8c2g-h97q","title":"Mattermost Incorrect Authorization vulnerability","description":"Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-11777","labels":["CVE-2025-11777","GO-2025-4122"],"created_at":"2026-04-26 03:02:07.010733+00:00","updated_at":"2026-04-26 03:02:07.010733+00:00"},{"id":5460,"ecosystem":"go","package_name":"github.com/mattermost/mattermost-server/v5","affected_version":"10.5.0","fixed_version":"10.5.9","bug_id":"osv:GHSA-4276-cm8c-788h","title":"Mattermost Fails to Properly Validate Team Role Modification","description":"Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.","severity":"low","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53971","labels":["CVE-2025-53971","GO-2025-3902"],"created_at":"2026-04-26 03:02:06.978849+00:00","updated_at":"2026-04-26 03:02:06.978849+00:00"}],"total":177,"_cache":"hit"}