{"package":"github.com/mattermost/mattermost-server","ecosystem":"go","latest_version":"v11.6.1+incompatible","description":"Mattermost is an open source platform for secure collaboration across the entire software development lifecycle..","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/github.com/mattermost/mattermost-server","repository":"https://github.com/mattermost/mattermost-server","downloads_weekly":36306,"health":{"score":63,"risk":"moderate","breakdown":{"maintenance":25,"popularity":10,"security":0,"maturity":15,"community":13},"deprecated":false,"max_score":100},"vulnerabilities":{"count":134,"critical":0,"high":4,"medium":22,"low":108,"details":[{"vuln_id":"CVE-2025-32093","severity":"medium","summary":"Mattermost Fails to Restrict Certain Operations on System Admins","affected_versions":">=10.5.0,<10.5.2|>=10.4.0,<10.4.4|>=9.11.0,<9.11.10|>=10.5.0,<10.5.2|>=10.4.0,<10.4.4|>=9.11.0,<9.11.10|<8.0.0-20250227102013-aa4623a93199","fixed_version":"8.0.0-20250227102013-aa4623a93199","source":"osv","published_at":"2025-04-14T09:30:24Z","in_kev":false,"epss_prob":0.00228,"epss_percentile":0.45551,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-0999","severity":"medium","summary":"Mattermost fails to properly validate login method restrictions","affected_versions":"<8.0.0-20251212052346-61651b0df7ea|>=11.1.0|>=10.11.0|>=11.2.0|<5.3.2-0.20251212052346-61651b0df7ea","fixed_version":"5.3.2-0.20251212052346-61651b0df7ea","source":"osv","published_at":"2026-02-16T12:30:24Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16019,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2023-1777","severity":"medium","summary":"Mattermost vulnerable to information disclosure","affected_versions":">=6.3.0,<7.1.6|>=7.8.0,<7.8.1|>=7.7.0,<7.7.2|>=7.1.0,<7.1.6|>=6.0.0-20211025164829-f7a8147b825c,<6.0.0-20230301145909-10be118d99a5|>=1.4.1-0.20211025164829-f7a8147b825c,<1.4.1-0.20230301145909-10be118d99a5|=7.8.0","fixed_version":"1.4.1-0.20230301145909-10be118d99a5","source":"osv","published_at":"2023-03-31T12:30:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-53971","severity":"low","summary":"Mattermost Fails to Properly Validate Team Role Modification","affected_versions":">=10.5.0,<10.5.9|>=9.11.0,<9.11.18|<8.0.0-20250721095846-c602a4a78e1f|<=5.39.3|<=6.7.2","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11557,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-3113","severity":"medium","summary":"Mattermost doesn't set permissions on downloaded bulk export","affected_versions":">=11.4.0-rc1,<11.4.1|>=11.3.0-rc1,<11.3.2|>=11.2.0-rc1,<11.2.4|>=10.11.0-rc1,<10.11.12|>=8.0.0-20260105080200-d27a2195068d,<8.0.0-20260217110922-b7d4a1f1f59b","fixed_version":"8.0.0-20260217110922-b7d4a1f1f59b","source":"osv","published_at":"2026-03-26T18:31:42Z","in_kev":false,"epss_prob":0.0001,"epss_percentile":0.01047,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6227","severity":"low","summary":"Mattermost has Insufficiently Protected Credentials","affected_versions":">=10.5.0,<10.5.8|>=9.11.0,<9.11.17|<8.0.0-20250612074655-8f8612c63783","fixed_version":"8.0.0-20250612074655-8f8612c63783","source":"osv","published_at":"2025-07-18T12:30:36Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13901,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14350","severity":"medium","summary":"Mattermost fails to properly validate team membership when processing channel mentions","affected_versions":"<8.0.0-20251209134645-761e56bb11cc|>=11.1.0|>=10.11.0|>=11.2.0|<5.3.2-0.20251209134645-761e56bb11cc","fixed_version":"5.3.2-0.20251209134645-761e56bb11cc","source":"osv","published_at":"2026-02-16T15:32:47Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.11988,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9072","severity":"high","summary":"Mattermost Open Redirect vulnerability","affected_versions":">=10.10.0,<10.10.2|>=10.5.0,<10.5.10|>=10.9.0,<10.9.5|<8.0.0-20250731063404-9eebaadf8f72","fixed_version":"8.0.0-20250731063404-9eebaadf8f72","source":"osv","published_at":"2025-09-15T12:31:25Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08864,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6226","severity":"medium","summary":"Mattermost Missing Authentication for Critical Function","affected_versions":">=10.5.0,<10.5.7|>=10.8.0,<10.8.2|>=10.7.0,<10.7.4|>=9.11.0,<9.11.17|<8.0.0-20250520130510-fa40a8c5d47f","fixed_version":"8.0.0-20250520130510-fa40a8c5d47f","source":"osv","published_at":"2025-07-18T09:30:32Z","in_kev":false,"epss_prob":0.0007,"epss_percentile":0.21377,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55074","severity":"low","summary":"Mattermost allows other users to determine when users had read channels via channel member objects","affected_versions":">=10.11.0,<10.11.4|>=10.5.0,<10.5.12|<8.0.0-20250905150616-ba86dfc5876b6","fixed_version":"8.0.0-20250905150616-ba86dfc5876b6","source":"osv","published_at":"2025-11-18T18:32:52Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.05299,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9078","severity":"medium","summary":"Mattermost makes Use of Weak Hash","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.10.0,<10.10.2|>=10.9.0,<10.9.4|<8.0.0-20250718075842-cd87e5c87737","fixed_version":"8.0.0-20250718075842-cd87e5c87737","source":"osv","published_at":"2025-09-15T12:31:25Z","in_kev":false,"epss_prob":0.00022,"epss_percentile":0.0606,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14573","severity":"low","summary":"Mattermost fails to enforce invite permissions when updating team settings","affected_versions":"<8.0.0-20251215190648-6404ab29acc0|>=11.1.0|>=10.11.0|>=11.2.0|<5.3.2-0.20251215190648-6404ab29acc0","fixed_version":"5.3.2-0.20251215190648-6404ab29acc0","source":"osv","published_at":"2026-02-16T15:32:47Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08571,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55073","severity":"medium","summary":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL","affected_versions":">=10.11.0,<10.11.4|>=10.5.0,<10.5.12|>=10.12.0,<10.12.1|<8.0.0-20250929212932-a41db04d2746","fixed_version":"8.0.0-20250929212932-a41db04d2746","source":"osv","published_at":"2025-11-14T09:30:27Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13795,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-27656","severity":"medium","summary":"Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw","affected_versions":">=11.4.0-rc1,<11.4.1|>=11.3.0-rc1,<11.3.2|>=11.2.0-rc1,<11.2.4|>=10.11.0-rc1,<10.11.12|>=8.0.0-20260105080200-d27a2195068d,<8.0.0-20260217110922-b7d4a1f1f59b","fixed_version":"8.0.0-20260217110922-b7d4a1f1f59b","source":"osv","published_at":"2026-03-25T18:31:53Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.0852,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-36530","severity":"medium","summary":"Mattermost Fails to Validate File Paths","affected_versions":">=10.9.0,<10.9.2|>=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|<8.0.0-20250619095651-9dd0b3943e55|<=5.11.1|<=6.7.2","fixed_version":"8.0.0-20250619095651-9dd0b3943e55","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15906,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2025-27933","severity":"medium","summary":"Mattermost allows members with permission to convert public channels to private and convert private to public","affected_versions":">=10.4.0,<10.4.3|>=10.3.0,<10.3.4|>=9.11.0,<9.11.9|<9.11.9|<8.0.0-20250218135018-e644e3c8e393","fixed_version":"8.0.0-20250218135018-e644e3c8e393","source":"osv","published_at":"2025-03-21T09:30:35Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-11776","severity":"medium","summary":"Mattermost fails to properly restrict access to archived channel search API","affected_versions":"<8.0.0-20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d","fixed_version":"5.3.2-0.20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-14T09:30:27Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11613,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-18912","severity":"high","summary":"Mattermost Server allows an attacker to specify a full pathname of a log file","affected_versions":"<3.7.4-0.20170404171331-0b5c0794fdcb","fixed_version":"3.7.4-0.20170404171331-0b5c0794fdcb","source":"osv","published_at":"2022-05-24T17:21:07Z","in_kev":false,"epss_prob":0.00733,"epss_percentile":0.7281,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11777","severity":"low","summary":"Mattermost Incorrect Authorization vulnerability","affected_versions":">=10.11.0,<10.11.4|>=10.5.0,<10.5.12|<8.0.0-20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b","fixed_version":"5.3.2-0.20250905150616-ba86dfc5876b","source":"osv","published_at":"2025-11-13T18:31:05Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07621,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11794","severity":"medium","summary":"Mattermost allows system administrators to access password hashes and MFA secrets","affected_versions":">=10.11.0,<10.11.4|>=10.5.0,<10.5.12|>=10.12.0,<10.12.1|<8.0.0-20250929212932-a41db04d2746","fixed_version":"8.0.0-20250929212932-a41db04d2746","source":"osv","published_at":"2025-11-14T12:30:18Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.1335,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6465","severity":"medium","summary":"Mattermost Fails to Sanitize File Names","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=10.9.0,<10.9.4|>=10.10.0,<10.10.1|<8.0.0-20250708173752-d6b35c41f0ae5|=10.10.0","fixed_version":"8.0.0-20250708173752-d6b35c41f0ae5","source":"osv","published_at":"2025-08-21T18:31:29Z","in_kev":false,"epss_prob":0.00072,"epss_percentile":0.21738,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13821","severity":"medium","summary":"Mattermost fails to sanitize sensitive data in WebSocket messages","affected_versions":"<8.0.0-20251210191531-cd17b61de41b|>=11.1.0|>=10.11.0|>=11.2.0|<5.3.2-0.20251210191531-cd17b61de41b","fixed_version":"5.3.2-0.20251210191531-cd17b61de41b","source":"osv","published_at":"2026-02-16T12:30:25Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.13415,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-49810","severity":"low","summary":"Mattermost Lack of Access Control Validation","affected_versions":">=10.5.0,<10.5.9|<8.0.0-20250721095846-c602a4a78e1f","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08541,"threat_tier":"theoretical"},{"vuln_id":"CVE-2016-11075","severity":"medium","summary":"Mattermost Server exposes sensitive information about team URLs via an API","affected_versions":"<2.0.1-0.20160310160916-26ad6d2c7696","fixed_version":"2.0.1-0.20160310160916-26ad6d2c7696","source":"osv","published_at":"2022-05-24T17:21:01Z","in_kev":false,"epss_prob":0.00237,"epss_percentile":0.46804,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-49222","severity":"medium","summary":"Mattermost Fails to Validate Remote Cluster Upload Sessions","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.9.0,<10.9.3|>=10.10.0,<10.10.1|<8.0.0-20250708173752-d6b35c41f0ae5|<=5.39.3|<=5.7.2|=10.10.0","fixed_version":"8.0.0-20250708173752-d6b35c41f0ae5","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00047,"epss_percentile":0.14433,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47870","severity":"medium","summary":"Mattermost Does Not Sanitize the Team Invite ID","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.9.0,<10.9.3|<8.0.0-20250708065844-b38e2eccda18|<=5.39.3|<=6.7.2","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.12025,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-28053","severity":"low","summary":"Mattermost Server Resource Exhaustion","affected_versions":"<0.0.0-20240209181221-674f549daf0e|<0.0.0-20240209181221-674f549daf0e|<0.0.0-20240209181221-674f549daf0e|<0.0.0-20240209181221-674f549daf0e","fixed_version":"0.0.0-20240209181221-674f549daf0e","source":"osv","published_at":"2024-03-15T09:30:37Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-9079","severity":"high","summary":"Mattermost Path Traversal vulnerability","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.10.0,<10.10.2|>=10.9.0,<10.9.4|<8.0.0-20250707221302-a8fa77f107ef","fixed_version":"8.0.0-20250707221302-a8fa77f107ef","source":"osv","published_at":"2025-09-19T21:31:21Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15791,"threat_tier":"theoretical"},{"vuln_id":"CVE-2023-5968","severity":"medium","summary":"Mattermost password hash disclosure vulnerability","affected_versions":">=5.4.0-rc1,<7.8.12|>=8.0.0,<8.0.4|>=8.1.0,<8.1.3|>=9.0.0,<9.0.1|<8.0.0-20230825233148-f787fd63368a|<5.3.2-0.20230825233148-f787fd63368a|<5.3.2-0.20230825233148-f787fd63368a|<5.3.2-0.20230825233148-f787fd63368a|=9.0.0","fixed_version":"5.3.2-0.20230825233148-f787fd63368a","source":"osv","published_at":"2023-11-06T18:30:19Z","in_kev":false,"epss_prob":0.00139,"epss_percentile":0.33607,"threat_tier":"theoretical"},{"vuln_id":"CVE-2017-18909","severity":"high","summary":"Mattermost Server SAML implementation does not require encryption or signature verification as default","affected_versions":"<3.8.1-0.20170504181128-4f074fed0d65","fixed_version":"3.8.1-0.20170504181128-4f074fed0d65","source":"osv","published_at":"2022-05-24T17:21:06Z","in_kev":false,"epss_prob":0.00148,"epss_percentile":0.35086,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47700","severity":"low","summary":"Mattermost Server SSRF Vulnerability via the Agents Plugin","affected_versions":">=10.5.0,<10.5.10|<8.0.0-20250814075248-83a37a861d3c","fixed_version":"8.0.0-20250814075248-83a37a861d3c","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00033,"epss_percentile":0.09592,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6233","severity":"medium","summary":"Mattermost Path Traversal vulnerability","affected_versions":">=10.8.0,<10.8.2|>=10.7.0,<10.7.4|>=10.5.0,<10.5.8|>=9.11.0,<9.11.17|<8.0.0-20250529054450-d38c27f96fcf","fixed_version":"8.0.0-20250529054450-d38c27f96fcf","source":"osv","published_at":"2025-07-18T12:30:36Z","in_kev":false,"epss_prob":0.00101,"epss_percentile":0.27631,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41436","severity":"low","summary":"Mattermost allows regular users to access archived channel content and files","affected_versions":"<11.0.0-alpha.1|<8.0.0-20250815165020-c8d66301415d","fixed_version":"8.0.0-20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-14T09:30:27Z","in_kev":false,"epss_prob":0.00029,"epss_percentile":0.08326,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-8023","severity":"medium","summary":"Mattermost Fails to Sanitize Path Traversal Sequences","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.9.0,<10.9.3|<8.0.0-20250708065844-b38e2eccda18|<=5.39.5|<=6.7.2","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-21T09:30:22Z","in_kev":false,"epss_prob":0.00056,"epss_percentile":0.1749,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55070","severity":"medium","summary":"Mattermost does not enforce MFA on WebSocket connections","affected_versions":"<11.1.0|<8.0.0-20250912063506-7d8b7b5e4a60","fixed_version":"8.0.0-20250912063506-7d8b7b5e4a60","source":"osv","published_at":"2025-11-14T09:30:27Z","in_kev":false,"epss_prob":0.00148,"epss_percentile":0.34986,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2023-50333","severity":"unknown","summary":"Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-7113","severity":"unknown","summary":"Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-47858","severity":"unknown","summary":"Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2024-21848","severity":"unknown","summary":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-05T15:10:52Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2024-47003","severity":"unknown","summary":"Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240806094731-69a8b3df0f9f","fixed_version":"8.0.0-20240806094731-69a8b3df0f9f","source":"osv","published_at":"2024-10-10T15:29:47Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2024-10214","severity":"unknown","summary":"Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240821220019-0d6b1070a26f","fixed_version":"8.0.0-20240821220019-0d6b1070a26f","source":"osv","published_at":"2024-10-30T16:01:03Z","in_kev":false,"epss_prob":0.00363,"epss_percentile":0.58359,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-10241","severity":"unknown","summary":"Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240813135334-8f3a13122f55","fixed_version":"8.0.0-20240813135334-8f3a13122f55","source":"osv","published_at":"2024-10-30T21:28:25Z","in_kev":false,"epss_prob":0.00363,"epss_percentile":0.58359,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-46872","severity":"unknown","summary":"Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240926115259-20ed58906adc","fixed_version":"8.0.0-20240926115259-20ed58906adc","source":"osv","published_at":"2024-11-04T15:44:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2024-47401","severity":"unknown","summary":"Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240926115259-20ed58906adc","fixed_version":"8.0.0-20240926115259-20ed58906adc","source":"osv","published_at":"2024-11-04T15:44:16Z","in_kev":false,"epss_prob":0.00182,"epss_percentile":0.39672,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-50052","severity":"unknown","summary":"Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240926115259-20ed58906adc","fixed_version":"8.0.0-20240926115259-20ed58906adc","source":"osv","published_at":"2024-11-04T15:44:16Z","in_kev":false,"epss_prob":0.00256,"epss_percentile":0.48946,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-28053","severity":"unknown","summary":"Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server","affected_versions":"<0.0.0-20240209181221-674f549daf0e","fixed_version":"0.0.0-20240209181221-674f549daf0e","source":"osv","published_at":"2024-12-18T16:35:54Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-22449","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=9.11.0+incompatible|<8.0.0-20250102081831-64c566a8280b","fixed_version":"8.0.0-20250102081831-64c566a8280b","source":"osv","published_at":"2025-01-09T19:41:13Z","in_kev":false,"epss_prob":0.00084,"epss_percentile":0.24403,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20033","severity":"unknown","summary":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20250102081831-64c566a8280b","fixed_version":"8.0.0-20250102081831-64c566a8280b","source":"osv","published_at":"2025-01-09T19:41:59Z","in_kev":false,"epss_prob":0.00155,"epss_percentile":0.36032,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-22445","severity":"unknown","summary":"Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server","affected_versions":"<10.3.0+incompatible|<8.0.0-20250102081831-64c566a8280b","fixed_version":"8.0.0-20250102081831-64c566a8280b","source":"osv","published_at":"2025-01-09T19:41:13Z","in_kev":false,"epss_prob":0.00196,"epss_percentile":0.41422,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20086","severity":"unknown","summary":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-16T21:58:23Z","in_kev":false,"epss_prob":0.00447,"epss_percentile":0.63582,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-21088","severity":"unknown","summary":"Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-16T21:58:25Z","in_kev":false,"epss_prob":0.00177,"epss_percentile":0.39028,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20088","severity":"unknown","summary":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-16T21:58:27Z","in_kev":false,"epss_prob":0.00447,"epss_percentile":0.63582,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20621","severity":"unknown","summary":"Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-17T21:48:34Z","in_kev":false,"epss_prob":0.0039,"epss_percentile":0.60069,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-25279","severity":"unknown","summary":"Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20250122165010-4ed702ccff4e","fixed_version":"8.0.0-20250122165010-4ed702ccff4e","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.61205,"epss_percentile":0.98325,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2025-24526","severity":"unknown","summary":"Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20250110161910-96195f1bd746","fixed_version":"8.0.0-20250110161910-96195f1bd746","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.00199,"epss_percentile":0.41901,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-1412","severity":"unknown","summary":"Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20241217145510-faa7e4f2ea0c","fixed_version":"8.0.0-20241217145510-faa7e4f2ea0c","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.00166,"epss_percentile":0.37464,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20051","severity":"unknown","summary":"Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20250122165010-4ed702ccff4e","fixed_version":"8.0.0-20250122165010-4ed702ccff4e","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.00251,"epss_percentile":0.48504,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2025-27933","severity":"unknown","summary":"Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0+incompatible,<10.4.3+incompatible|<8.0.0-20250218135018-e644e3c8e393","fixed_version":"8.0.0-20250218135018-e644e3c8e393","source":"osv","published_at":"2025-03-25T19:38:11Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-32093","severity":"unknown","summary":"Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250227102013-aa4623a93199","fixed_version":"8.0.0-20250227102013-aa4623a93199","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00228,"epss_percentile":0.45551,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2475","severity":"unknown","summary":"Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250220161544-fd356b62b4dd","fixed_version":"8.0.0-20250220161544-fd356b62b4dd","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00193,"epss_percentile":0.4103,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2424","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250213231113-68c11e9ecb71","fixed_version":"8.0.0-20250213231113-68c11e9ecb71","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00138,"epss_percentile":0.33401,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-27936","severity":"unknown","summary":"Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00212,"epss_percentile":0.43606,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-27571","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00183,"epss_percentile":0.39853,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-27538","severity":"unknown","summary":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250314142426-c049748b8863","fixed_version":"8.0.0-20250314142426-c049748b8863","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.0018,"epss_percentile":0.39416,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-24839","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00152,"epss_percentile":0.35617,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-31363","severity":"unknown","summary":"Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.1+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00159,"epss_percentile":0.365,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2564","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250314142426-c049748b8863","fixed_version":"8.0.0-20250314142426-c049748b8863","source":"osv","published_at":"2025-04-22T18:14:45Z","in_kev":false,"epss_prob":0.00183,"epss_percentile":0.39853,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41395","severity":"unknown","summary":"Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks","affected_versions":"<1.41.0|>=9.11.0+incompatible|>=10.4.0+incompatible|>=10.5.0+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-24T18:14:57Z","in_kev":false,"epss_prob":0.00132,"epss_percentile":0.32533,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-35965","severity":"unknown","summary":"Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks","affected_versions":"<1.41.0|>=9.11.0+incompatible|>=10.4.0+incompatible|>=10.5.0+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-24T18:14:57Z","in_kev":false,"epss_prob":0.00337,"epss_percentile":0.56525,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41423","severity":"unknown","summary":"Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks","affected_versions":"<1.41.0|>=9.11.0+incompatible|>=10.4.0+incompatible|>=10.5.0+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-24T18:14:57Z","in_kev":false,"epss_prob":0.00042,"epss_percentile":0.12727,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2527","severity":"unknown","summary":"Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.3+incompatible|<8.0.0-20250411064244-844447fbd57c","fixed_version":"8.0.0-20250411064244-844447fbd57c","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.0017,"epss_percentile":0.37912,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-31947","severity":"unknown","summary":"Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0+incompatible,<10.6.2+incompatible|<8.0.0-20250415054241-76ab3867b785","fixed_version":"8.0.0-20250415054241-76ab3867b785","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.0036,"epss_percentile":0.58196,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3446","severity":"unknown","summary":"Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0+incompatible,<10.6.2+incompatible|<8.0.0-20250415054241-76ab3867b785","fixed_version":"8.0.0-20250415054241-76ab3867b785","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.00188,"epss_percentile":0.40455,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2570","severity":"unknown","summary":"Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.3+incompatible|<8.0.0-20250411064244-844447fbd57c","fixed_version":"8.0.0-20250411064244-844447fbd57c","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.00217,"epss_percentile":0.44193,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3913","severity":"unknown","summary":"Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250412152950-02c76784380a","fixed_version":"8.0.0-20250412152950-02c76784380a","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00282,"epss_percentile":0.51545,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3611","severity":"unknown","summary":"Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250414154356-6f33b721de76","fixed_version":"8.0.0-20250414154356-6f33b721de76","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00138,"epss_percentile":0.33458,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2571","severity":"unknown","summary":"Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250414095146-04676582cdd2","fixed_version":"8.0.0-20250414095146-04676582cdd2","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00173,"epss_percentile":0.38457,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-1792","severity":"unknown","summary":"Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250414110750-c23f44fe8ed0","fixed_version":"8.0.0-20250414110750-c23f44fe8ed0","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00138,"epss_percentile":0.33458,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3230","severity":"unknown","summary":"Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250402193107-65343f84a783","fixed_version":"8.0.0-20250402193107-65343f84a783","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00193,"epss_percentile":0.4103,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-4573","severity":"unknown","summary":"Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0+incompatible,<10.7.2+incompatible|<8.0.0-20250414112942-77892234944b","fixed_version":"8.0.0-20250414112942-77892234944b","source":"osv","published_at":"2025-06-11T17:45:49Z","in_kev":false,"epss_prob":0.00207,"epss_percentile":0.43036,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-4128","severity":"unknown","summary":"Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.5+incompatible|<8.0.0-20250422131222-701ddc896a10","fixed_version":"8.0.0-20250422131222-701ddc896a10","source":"osv","published_at":"2025-06-11T17:45:49Z","in_kev":false,"epss_prob":0.00128,"epss_percentile":0.31832,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-4981","severity":"unknown","summary":"Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250519205859-65aec10162f6","fixed_version":"8.0.0-20250519205859-65aec10162f6","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.0169,"epss_percentile":0.82298,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3228","severity":"unknown","summary":"Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250520060012-d0380305ef7a","fixed_version":"8.0.0-20250520060012-d0380305ef7a","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00183,"epss_percentile":0.39807,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3227","severity":"unknown","summary":"Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250520060012-d0380305ef7a","fixed_version":"8.0.0-20250520060012-d0380305ef7a","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.0017,"epss_percentile":0.38014,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-46702","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250513065225-4ae5d647fb88","fixed_version":"8.0.0-20250513065225-4ae5d647fb88","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00075,"epss_percentile":0.2248,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47871","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250513065225-4ae5d647fb88","fixed_version":"8.0.0-20250513065225-4ae5d647fb88","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00068,"epss_percentile":0.20834,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6227","severity":"unknown","summary":"Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.8+incompatible|<8.0.0-20250612074655-8f8612c63783","fixed_version":"8.0.0-20250612074655-8f8612c63783","source":"osv","published_at":"2025-07-29T18:49:33Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13901,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6226","severity":"unknown","summary":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.2+incompatible|<8.0.0-20250520130510-fa40a8c5d47f","fixed_version":"8.0.0-20250520130510-fa40a8c5d47f","source":"osv","published_at":"2025-07-29T18:49:33Z","in_kev":false,"epss_prob":0.0007,"epss_percentile":0.21377,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6233","severity":"unknown","summary":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.2+incompatible|<8.0.0-20250529054450-d38c27f96fcf","fixed_version":"8.0.0-20250529054450-d38c27f96fcf","source":"osv","published_at":"2025-07-29T18:49:33Z","in_kev":false,"epss_prob":0.00101,"epss_percentile":0.27631,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-53971","severity":"unknown","summary":"Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.9+incompatible|<8.0.0-20250721095846-c602a4a78e1f","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11557,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-49810","severity":"unknown","summary":"Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.9+incompatible|<8.0.0-20250721095846-c602a4a78e1f","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08541,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47870","severity":"unknown","summary":"Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server","affected_versions":">=10.9.0+incompatible,<10.9.3+incompatible|<8.0.0-20250708065844-b38e2eccda18","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.12025,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47700","severity":"unknown","summary":"Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.10+incompatible|<8.0.0-20250814075248-83a37a861d3c","fixed_version":"8.0.0-20250814075248-83a37a861d3c","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.00033,"epss_percentile":0.09592,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-8023","severity":"unknown","summary":"Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server","affected_versions":">=10.9.0+incompatible,<10.9.3+incompatible|<8.0.0-20250708065844-b38e2eccda18","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.00056,"epss_percentile":0.1749,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9072","severity":"unknown","summary":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.10.0+incompatible,<10.10.2+incompatible|<8.0.0-20250731063404-9eebaadf8f72","fixed_version":"8.0.0-20250731063404-9eebaadf8f72","source":"osv","published_at":"2025-09-17T17:03:49Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08864,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9078","severity":"unknown","summary":"Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server","affected_versions":">=10.10.0+incompatible,<10.10.2+incompatible|<8.0.0-20250718075842-cd87e5c87737","fixed_version":"8.0.0-20250718075842-cd87e5c87737","source":"osv","published_at":"2025-09-17T17:03:49Z","in_kev":false,"epss_prob":0.00022,"epss_percentile":0.0606,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9079","severity":"unknown","summary":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.10.0+incompatible,<10.10.2+incompatible|<8.0.0-20250707221302-a8fa77f107ef","fixed_version":"8.0.0-20250707221302-a8fa77f107ef","source":"osv","published_at":"2025-09-24T19:21:37Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15791,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9081","severity":"unknown","summary":"Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards","affected_versions":"<0.0.0-20250716054606-3f3e3becfe1d|>=10.5.0-rc1+incompatible,<10.5.9+incompatible|<8.0.0-20250721095935-11c36f4d1e44","fixed_version":"8.0.0-20250721095935-11c36f4d1e44","source":"osv","published_at":"2025-09-24T19:21:41Z","in_kev":false,"epss_prob":0.00011,"epss_percentile":0.01481,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-10545","severity":"unknown","summary":"Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible,<10.11.3+incompatible|<8.0.0-20250820115038-ff30b84049f0","fixed_version":"8.0.0-20250820115038-ff30b84049f0","source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":8e-05,"epss_percentile":0.00804,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41443","severity":"unknown","summary":"Guest user can discover active public channels in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":0.00011,"epss_percentile":0.01379,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-58073","severity":"unknown","summary":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible,<10.11.2+incompatible|<8.0.0-20250807174701-e14175eb6539","fixed_version":"8.0.0-20250807174701-e14175eb6539","source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":0.00046,"epss_percentile":0.14053,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54499","severity":"unknown","summary":"Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible,<10.11.3+incompatible|<8.0.0-20250728063359-38208b8f065f","fixed_version":"8.0.0-20250728063359-38208b8f065f","source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":0.00032,"epss_percentile":0.09172,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11777","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost","affected_versions":">=10.11.0+incompatible,<10.11.4+incompatible|<8.0.0-20251212204551-54f2e9b4afd5","fixed_version":"8.0.0-20251212204551-54f2e9b4afd5","source":"osv","published_at":"2025-11-17T19:11:25Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07621,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11776","severity":"unknown","summary":"Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost","affected_versions":"<8.0.0-20250815165020-c8d66301415d","fixed_version":"8.0.0-20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-17T19:11:25Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11613,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55070","severity":"unknown","summary":"Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server","affected_versions":"<11.1.0+incompatible|<8.0.0-20250912063506-7d8b7b5e4a60","fixed_version":"8.0.0-20250912063506-7d8b7b5e4a60","source":"osv","published_at":"2025-11-17T19:11:25Z","in_kev":false,"epss_prob":0.00148,"epss_percentile":0.34986,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55073","severity":"unknown","summary":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server","affected_versions":">=10.12.0+incompatible,<10.12.1+incompatible|<8.0.0-20250929212932-a41db04d2746","fixed_version":"8.0.0-20250929212932-a41db04d2746","source":"osv","published_at":"2025-11-18T15:34:32Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13795,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11794","severity":"unknown","summary":"Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server","affected_versions":">=10.12.0+incompatible,<10.12.1+incompatible|<8.0.0-20250929212932-a41db04d2746","fixed_version":"8.0.0-20250929212932-a41db04d2746","source":"osv","published_at":"2025-11-18T15:34:32Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.1335,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41436","severity":"unknown","summary":"Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server","affected_versions":"<11.0.0-alpha.1+incompatible|<8.0.0-20250815165020-c8d66301415d","fixed_version":"8.0.0-20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-18T15:34:32Z","in_kev":false,"epss_prob":0.00029,"epss_percentile":0.08326,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12419","severity":"unknown","summary":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20251028000919-d3ed703dc833","fixed_version":"8.0.0-20251028000919-d3ed703dc833","source":"osv","published_at":"2025-12-15T20:33:49Z","in_kev":false,"epss_prob":0.00081,"epss_percentile":0.23662,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12559","severity":"unknown","summary":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20251015091448-abbf01b9db45","fixed_version":"8.0.0-20251015091448-abbf01b9db45","source":"osv","published_at":"2025-12-15T20:33:49Z","in_kev":false,"epss_prob":0.00037,"epss_percentile":0.10987,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12421","severity":"unknown","summary":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20251022210333-acda1fb5dd46","fixed_version":"8.0.0-20251022210333-acda1fb5dd46","source":"osv","published_at":"2025-12-15T20:33:49Z","in_kev":false,"epss_prob":0.00081,"epss_percentile":0.23662,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12756","severity":"unknown","summary":"Mattermost fails to validate user permissions when deleting comments in Boards in github.com/mattermost/mattermost","affected_versions":">=10.5.0+incompatible|>=10.11.0+incompatible|>=10.12.0+incompatible","fixed_version":null,"source":"osv","published_at":"2025-12-02T19:46:53Z","in_kev":false,"epss_prob":0.00041,"epss_percentile":0.12588,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13870","severity":"unknown","summary":"Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost","affected_versions":">=10.11.0+incompatible,<10.11.5+incompatible|<8.0.0-20251212204551-54f2e9b4afd5","fixed_version":"8.0.0-20251212204551-54f2e9b4afd5","source":"osv","published_at":"2025-12-08T21:31:36Z","in_kev":false,"epss_prob":0.00048,"epss_percentile":0.14913,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13352","severity":"unknown","summary":"Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost","affected_versions":">=11.0.0-alpha.1+incompatible,<11.1.0+incompatible|<1.0.1-0.20250829075715-0deffcfc6bee|>=10.11.0-rc1+incompatible","fixed_version":"1.0.1-0.20250829075715-0deffcfc6bee","source":"osv","published_at":"2025-12-22T18:15:35Z","in_kev":false,"epss_prob":0.00084,"epss_percentile":0.24256,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-62690","severity":"unknown","summary":"Mattermost has missing redirect URL validation in github.com/mattermost/mattermost","affected_versions":">=10.11.0-rc1+incompatible,<11.1.0+incompatible|>=8.0.0-20250721062209-4952acea88ce,<8.0.0-20251016131338-dad6bd7a1509","fixed_version":"8.0.0-20251016131338-dad6bd7a1509","source":"osv","published_at":"2026-01-14T19:15:43Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15948,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13324","severity":"unknown","summary":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost","affected_versions":">=11.0.0-alpha.1+incompatible,<11.0.4+incompatible|<11.0.4+incompatible|<8.0.0-20251031095924-e7e23b94e006","fixed_version":"8.0.0-20251031095924-e7e23b94e006","source":"osv","published_at":"2025-12-30T01:49:57Z","in_kev":false,"epss_prob":0.00054,"epss_percentile":0.16764,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14273","severity":"unknown","summary":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira","affected_versions":"<8.0.0-20251121122154-b57c297c6d7a","fixed_version":"8.0.0-20251121122154-b57c297c6d7a","source":"osv","published_at":"2026-01-12T17:39:39Z","in_kev":false,"epss_prob":0.00141,"epss_percentile":0.33953,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-0999","severity":"unknown","summary":"Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251212052346-61651b0df7ea","fixed_version":"8.0.0-20251212052346-61651b0df7ea","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16019,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14350","severity":"unknown","summary":"Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251209134645-761e56bb11cc","fixed_version":"8.0.0-20251209134645-761e56bb11cc","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.11988,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14573","severity":"unknown","summary":"Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251215190648-6404ab29acc0","fixed_version":"8.0.0-20251215190648-6404ab29acc0","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08571,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13821","severity":"unknown","summary":"Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251210191531-cd17b61de41b","fixed_version":"8.0.0-20251210191531-cd17b61de41b","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.13415,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25783","severity":"unknown","summary":"Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260129181235-1346cf529aef","fixed_version":"8.0.0-20260129181235-1346cf529aef","source":"osv","published_at":"2026-03-26T20:33:02Z","in_kev":false,"epss_prob":0.0008,"epss_percentile":0.23377,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2456","severity":"unknown","summary":"Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260127165411-fe3052073dc6","fixed_version":"8.0.0-20260127165411-fe3052073dc6","source":"osv","published_at":"2026-03-26T20:33:02Z","in_kev":false,"epss_prob":0.00042,"epss_percentile":0.12636,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2458","severity":"unknown","summary":"Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260113182106-a18b80ba4c32","fixed_version":"8.0.0-20260113182106-a18b80ba4c32","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00034,"epss_percentile":0.10059,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24458","severity":"unknown","summary":"Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260129164748-7201f42d955f","fixed_version":"8.0.0-20260129164748-7201f42d955f","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.0006,"epss_percentile":0.18752,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2457","severity":"unknown","summary":"Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260123211116-9efe617be8b8","fixed_version":"8.0.0-20260123211116-9efe617be8b8","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.05356,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25780","severity":"unknown","summary":"Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260123215601-86797c508c44","fixed_version":"8.0.0-20260123215601-86797c508c44","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16245,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2578","severity":"unknown","summary":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260127062706-c6b205f0d770","fixed_version":"8.0.0-20260127062706-c6b205f0d770","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00037,"epss_percentile":0.11032,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2463","severity":"unknown","summary":"Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260105134819-cc427af41b2a","fixed_version":"8.0.0-20260105134819-cc427af41b2a","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00028,"epss_percentile":0.07902,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-21386","severity":"unknown","summary":"Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260130144323-5bb5261c72fa","fixed_version":"8.0.0-20260130144323-5bb5261c72fa","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00037,"epss_percentile":0.11032,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24692","severity":"unknown","summary":"Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260107142155-0481bd1fb045","fixed_version":"8.0.0-20260107142155-0481bd1fb045","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00028,"epss_percentile":0.07902,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2455","severity":"unknown","summary":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260129133647-5d787969c2d5","fixed_version":"8.0.0-20260129133647-5d787969c2d5","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00034,"epss_percentile":0.10059,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-4265","severity":"unknown","summary":"Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260107144005-c7f6efdfb035","fixed_version":"8.0.0-20260107144005-c7f6efdfb035","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00029,"epss_percentile":0.08341,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-22545","severity":"unknown","summary":"Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260127144908-ced9a56e3988","fixed_version":"8.0.0-20260127144908-ced9a56e3988","source":"osv","published_at":"2026-03-23T18:16:14Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13923,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":1},"versions":{"latest":"v11.6.1+incompatible","total_count":917,"recent":["v8.1.5-rc1+incompatible","v10.5.12+incompatible","v10.7.3-rc1+incompatible","v9.1.3+incompatible","v9.4.3+incompatible","v9.11.6-rc2+incompatible","v10.4.2+incompatible","v3.10.2+incompatible","v4.2.2-rc1+incompatible","v9.11.11+incompatible","v11.2.1-rc1+incompatible","v5.3.0-rc1+incompatible","v11.7.0-rc1+incompatible","v9.5.8-rc1+incompatible","v5.5.0+incompatible","v10.11.7+incompatible","v10.5.13+incompatible","v5.5.0-rc2+incompatible","v3.10.3-rc1+incompatible","v9.8.2+incompatible"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1198,"first_published":null,"last_published":"2026-04-17T17:42:10Z","dependencies_count":0,"dependencies":[]},"bundle":null,"typescript":null,"known_issues":{"bugs_count":161,"bugs_severity":{"high":16,"medium":125,"low":10,"critical":10},"status_breakdown":{"fixed":150,"open":11},"link":"/api/bugs/go/github.com/mattermost/mattermost-server?version=v11.6.1+incompatible","scope":"version","details":[{"title":"Mattermost Server does not properly restrict use of slash commands","severity":"high","status":"fixed","affected_version":null,"fixed_version":"4.1.2","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18886"},{"title":"Mattermost Server: initial_load API exposes unnecessary information","severity":"high","status":"fixed","affected_version":null,"fixed_version":"3.1.1","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11066"},{"title":"Mattermost has a Missing Authorization vulnerability","severity":"high","status":"fixed","affected_version":null,"fixed_version":"8.0.0-20250815100400-2d5cdc6e217e","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58075"},{"title":"Mattermost Server SAML implementation does not require encryption or signature verification as default","severity":"high","status":"fixed","affected_version":null,"fixed_version":"3.8.1-0.20170504181128-4f074fed0d65","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18909"},{"title":"Mattermost Server does not enforce rate limits on password change attempts","severity":"high","status":"fixed","affected_version":null,"fixed_version":"3.2.0","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-11069"}]},"historical_compromise":null,"recommendation":{"action":"update_required","issues":["4 high severity vulnerabilities"],"use_version":"v11.6.1+incompatible","version_hint":"Update to >= 8.0.0-20260127144908-ced9a56e3988 to fix known vulnerabilities","summary":"github.com/mattermost/mattermost-server@v11.6.1+incompatible has vulnerabilities — update to latest"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false}}