{"package":"github.com/mattermost/mattermost-server/v5","ecosystem":"go","latest_version":"v5.39.3","description":"Mattermost is an open source platform for secure collaboration across the entire software development lifecycle..","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://pkg.go.dev/github.com/mattermost/mattermost-server/v5","repository":"https://github.com/mattermost/mattermost-server/v5","downloads_weekly":36306,"health":{"score":43,"risk":"high","breakdown":{"maintenance":0,"popularity":10,"security":5,"maturity":15,"community":13},"deprecated":false,"max_score":100},"vulnerabilities":{"count":114,"critical":0,"high":0,"medium":10,"low":104,"details":[{"vuln_id":"CVE-2025-53971","severity":"low","summary":"Mattermost Fails to Properly Validate Team Role Modification","affected_versions":">=10.5.0,<10.5.9|>=9.11.0,<9.11.18|<8.0.0-20250721095846-c602a4a78e1f|<=5.39.3|<=6.7.2","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11557,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2023-1776","severity":"medium","summary":"Mattermost vulnerable to cross-site scripting (XSS)","affected_versions":">=6.0.0,<7.1.6|>=7.7.0,<7.7.2|>=7.1.0,<7.1.6|>=7.8.0,<7.8.1|>=5.0.0,<7.1.6|>=3.3.0,<7.1.6|=7.8.0","fixed_version":"7.1.6","source":"osv","published_at":"2023-03-31T12:30:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-1775","severity":"medium","summary":"Mattermost vulnerable to information disclosure ","affected_versions":">=3.3.0,<7.1.6|>=7.7.0,<7.7.2|>=7.1.0,<7.1.6|>=5.0.0,<7.1.6|>=6.0.0,<7.1.6","fixed_version":"7.1.6","source":"osv","published_at":"2023-03-31T12:30:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-1774","severity":"medium","summary":"Mattermost fails to properly authentication inviter's permissions to private channel","affected_versions":">=3.3.0,<7.1.6|>=7.7.0,<7.7.2|>=7.1.0,<7.1.6|>=5.0.0,<7.1.6|>=6.0.0,<7.1.6","fixed_version":"7.1.6","source":"osv","published_at":"2023-03-31T12:30:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-36530","severity":"medium","summary":"Mattermost Fails to Validate File Paths","affected_versions":">=10.9.0,<10.9.2|>=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|<8.0.0-20250619095651-9dd0b3943e55|<=5.11.1|<=6.7.2","fixed_version":"8.0.0-20250619095651-9dd0b3943e55","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15906,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-8402","severity":"medium","summary":"Mattermost has Potential Server Crash due to Unvalidated Import Data","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=10.9.0,<10.9.4|>=10.10.0,<10.10.1|<8.0.0-20250708173752-d6b35c41f0ae5|>=9.11.0,<9.11.18|<=5.39.3|<=6.7.2|=10.10.0","fixed_version":"9.11.18","source":"osv","published_at":"2025-08-21T18:31:29Z","in_kev":false,"epss_prob":0.00108,"epss_percentile":0.28812,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11776","severity":"medium","summary":"Mattermost fails to properly restrict access to archived channel search API","affected_versions":"<8.0.0-20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d|<5.3.2-0.20250815165020-c8d66301415d","fixed_version":"5.3.2-0.20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-14T09:30:27Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11613,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11777","severity":"low","summary":"Mattermost Incorrect Authorization vulnerability","affected_versions":">=10.11.0,<10.11.4|>=10.5.0,<10.5.12|<8.0.0-20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b|<5.3.2-0.20250905150616-ba86dfc5876b","fixed_version":"5.3.2-0.20250905150616-ba86dfc5876b","source":"osv","published_at":"2025-11-13T18:31:05Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07621,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-49222","severity":"medium","summary":"Mattermost Fails to Validate Remote Cluster Upload Sessions","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.9.0,<10.9.3|>=10.10.0,<10.10.1|<8.0.0-20250708173752-d6b35c41f0ae5|<=5.39.3|<=5.7.2|=10.10.0","fixed_version":"8.0.0-20250708173752-d6b35c41f0ae5","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.00047,"epss_percentile":0.14433,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47870","severity":"medium","summary":"Mattermost Does Not Sanitize the Team Invite ID","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.9.0,<10.9.3|<8.0.0-20250708065844-b38e2eccda18|<=5.39.3|<=6.7.2","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-21T09:30:21Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.12025,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-28053","severity":"low","summary":"Mattermost Server Resource Exhaustion","affected_versions":"<0.0.0-20240209181221-674f549daf0e|<0.0.0-20240209181221-674f549daf0e|<0.0.0-20240209181221-674f549daf0e|<0.0.0-20240209181221-674f549daf0e","fixed_version":"0.0.0-20240209181221-674f549daf0e","source":"osv","published_at":"2024-03-15T09:30:37Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2023-5968","severity":"medium","summary":"Mattermost password hash disclosure vulnerability","affected_versions":">=5.4.0-rc1,<7.8.12|>=8.0.0,<8.0.4|>=8.1.0,<8.1.3|>=9.0.0,<9.0.1|<8.0.0-20230825233148-f787fd63368a|<5.3.2-0.20230825233148-f787fd63368a|<5.3.2-0.20230825233148-f787fd63368a|<5.3.2-0.20230825233148-f787fd63368a|=9.0.0","fixed_version":"5.3.2-0.20230825233148-f787fd63368a","source":"osv","published_at":"2023-11-06T18:30:19Z","in_kev":false,"epss_prob":0.00139,"epss_percentile":0.33607,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-39837","severity":"low","summary":"Mattermost did not properly restrict channel creation","affected_versions":">=9.5.0,<9.5.7|>=9.9.0,<9.9.1|<8.0.0-20240626164322-c758cecaf30c|>=9.9.0,<9.9.1|<5.3.2-0.20240626164322-c758cecaf30c|<6.0.0-20240626164322-c758cecaf30c|>=9.5.0,<9.5.7|=9.9.0|=9.9.0","fixed_version":"9.5.7","source":"osv","published_at":"2024-08-01T15:32:23Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-8023","severity":"medium","summary":"Mattermost Fails to Sanitize Path Traversal Sequences","affected_versions":">=10.8.0,<10.8.4|>=10.5.0,<10.5.9|>=9.11.0,<9.11.18|>=10.9.0,<10.9.3|<8.0.0-20250708065844-b38e2eccda18|<=5.39.5|<=6.7.2","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-21T09:30:22Z","in_kev":false,"epss_prob":0.00056,"epss_percentile":0.1749,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2022-1337","severity":"unknown","summary":"Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server","affected_versions":"<6.4.2","fixed_version":"6.4.2","source":"osv","published_at":"2024-08-21T15:11:38Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2022-1385","severity":"unknown","summary":"Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server","affected_versions":"<6.5.0","fixed_version":"6.5.0","source":"osv","published_at":"2024-08-21T15:11:38Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-50333","severity":"unknown","summary":"Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-7113","severity":"unknown","summary":"Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-48732","severity":"unknown","summary":"Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server","affected_versions":"<8.1.7+incompatible","fixed_version":"8.1.7+incompatible","source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2023-47858","severity":"unknown","summary":"Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-28T15:28:53Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2024-21848","severity":"unknown","summary":"Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server","affected_versions":null,"fixed_version":null,"source":"osv","published_at":"2024-06-05T15:10:52Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"BIT-mattermost-2024-47003","severity":"unknown","summary":"Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240806094731-69a8b3df0f9f","fixed_version":"8.0.0-20240806094731-69a8b3df0f9f","source":"osv","published_at":"2024-10-10T15:29:47Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2024-10214","severity":"unknown","summary":"Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240821220019-0d6b1070a26f","fixed_version":"8.0.0-20240821220019-0d6b1070a26f","source":"osv","published_at":"2024-10-30T16:01:03Z","in_kev":false,"epss_prob":0.00363,"epss_percentile":0.58359,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-10241","severity":"unknown","summary":"Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240813135334-8f3a13122f55","fixed_version":"8.0.0-20240813135334-8f3a13122f55","source":"osv","published_at":"2024-10-30T21:28:25Z","in_kev":false,"epss_prob":0.00363,"epss_percentile":0.58359,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-46872","severity":"unknown","summary":"Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240926115259-20ed58906adc","fixed_version":"8.0.0-20240926115259-20ed58906adc","source":"osv","published_at":"2024-11-04T15:44:16Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2024-47401","severity":"unknown","summary":"Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240926115259-20ed58906adc","fixed_version":"8.0.0-20240926115259-20ed58906adc","source":"osv","published_at":"2024-11-04T15:44:16Z","in_kev":false,"epss_prob":0.00182,"epss_percentile":0.39672,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-50052","severity":"unknown","summary":"Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20240926115259-20ed58906adc","fixed_version":"8.0.0-20240926115259-20ed58906adc","source":"osv","published_at":"2024-11-04T15:44:16Z","in_kev":false,"epss_prob":0.00256,"epss_percentile":0.48946,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2024-28053","severity":"unknown","summary":"Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server","affected_versions":"<0.0.0-20240209181221-674f549daf0e","fixed_version":"0.0.0-20240209181221-674f549daf0e","source":"osv","published_at":"2024-12-18T16:35:54Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-22449","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=9.11.0+incompatible|<8.0.0-20250102081831-64c566a8280b","fixed_version":"8.0.0-20250102081831-64c566a8280b","source":"osv","published_at":"2025-01-09T19:41:13Z","in_kev":false,"epss_prob":0.00084,"epss_percentile":0.24403,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20033","severity":"unknown","summary":"Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20250102081831-64c566a8280b","fixed_version":"8.0.0-20250102081831-64c566a8280b","source":"osv","published_at":"2025-01-09T19:41:59Z","in_kev":false,"epss_prob":0.00155,"epss_percentile":0.36032,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-22445","severity":"unknown","summary":"Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server","affected_versions":"<10.3.0+incompatible|<8.0.0-20250102081831-64c566a8280b","fixed_version":"8.0.0-20250102081831-64c566a8280b","source":"osv","published_at":"2025-01-09T19:41:13Z","in_kev":false,"epss_prob":0.00196,"epss_percentile":0.41422,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20086","severity":"unknown","summary":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-16T21:58:23Z","in_kev":false,"epss_prob":0.00447,"epss_percentile":0.63582,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-21088","severity":"unknown","summary":"Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-16T21:58:25Z","in_kev":false,"epss_prob":0.00177,"epss_percentile":0.39028,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20088","severity":"unknown","summary":"Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-16T21:58:27Z","in_kev":false,"epss_prob":0.00447,"epss_percentile":0.63582,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20621","severity":"unknown","summary":"Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server","affected_versions":">=10.2.0+incompatible,<10.2.1+incompatible|<8.0.0-20241127161322-25ff7a3779a5","fixed_version":"8.0.0-20241127161322-25ff7a3779a5","source":"osv","published_at":"2025-01-17T21:48:34Z","in_kev":false,"epss_prob":0.0039,"epss_percentile":0.60069,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-25279","severity":"unknown","summary":"Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20250122165010-4ed702ccff4e","fixed_version":"8.0.0-20250122165010-4ed702ccff4e","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.61205,"epss_percentile":0.98325,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2025-24526","severity":"unknown","summary":"Mattermost fails to restrict channel export of archived channels in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20250110161910-96195f1bd746","fixed_version":"8.0.0-20250110161910-96195f1bd746","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.00199,"epss_percentile":0.41901,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-1412","severity":"unknown","summary":"Mattermost fails to invalidate all active sessions when converting a user to a bot in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20241217145510-faa7e4f2ea0c","fixed_version":"8.0.0-20241217145510-faa7e4f2ea0c","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.00166,"epss_percentile":0.37464,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-20051","severity":"unknown","summary":"Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0-rc1+incompatible,<10.4.2+incompatible|<8.0.0-20250122165010-4ed702ccff4e","fixed_version":"8.0.0-20250122165010-4ed702ccff4e","source":"osv","published_at":"2025-03-03T19:22:09Z","in_kev":false,"epss_prob":0.00251,"epss_percentile":0.48504,"threat_tier":"theoretical"},{"vuln_id":"BIT-mattermost-2025-27933","severity":"unknown","summary":"Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server","affected_versions":">=10.4.0+incompatible,<10.4.3+incompatible|<8.0.0-20250218135018-e644e3c8e393","fixed_version":"8.0.0-20250218135018-e644e3c8e393","source":"osv","published_at":"2025-03-25T19:38:11Z","in_kev":false,"threat_tier":"unknown"},{"vuln_id":"CVE-2025-32093","severity":"unknown","summary":"Mattermost Fails to Restrict Certain Operations on System Admins in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250227102013-aa4623a93199","fixed_version":"8.0.0-20250227102013-aa4623a93199","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00228,"epss_percentile":0.45551,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2475","severity":"unknown","summary":"Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250220161544-fd356b62b4dd","fixed_version":"8.0.0-20250220161544-fd356b62b4dd","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00193,"epss_percentile":0.4103,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2424","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250213231113-68c11e9ecb71","fixed_version":"8.0.0-20250213231113-68c11e9ecb71","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00138,"epss_percentile":0.33401,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-27936","severity":"unknown","summary":"Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00212,"epss_percentile":0.43606,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-27571","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00183,"epss_percentile":0.39853,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-27538","severity":"unknown","summary":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250314142426-c049748b8863","fixed_version":"8.0.0-20250314142426-c049748b8863","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.0018,"epss_percentile":0.39416,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-24839","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00152,"epss_percentile":0.35617,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-31363","severity":"unknown","summary":"Mattermost doesn't restrict domains LLM can request to contact upstream in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.1+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-22T16:56:33Z","in_kev":false,"epss_prob":0.00159,"epss_percentile":0.365,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2564","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.2+incompatible|<8.0.0-20250314142426-c049748b8863","fixed_version":"8.0.0-20250314142426-c049748b8863","source":"osv","published_at":"2025-04-22T18:14:45Z","in_kev":false,"epss_prob":0.00183,"epss_percentile":0.39853,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41395","severity":"unknown","summary":"Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks","affected_versions":"<1.41.0|>=9.11.0+incompatible|>=10.4.0+incompatible|>=10.5.0+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-24T18:14:57Z","in_kev":false,"epss_prob":0.00132,"epss_percentile":0.32533,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-35965","severity":"unknown","summary":"Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks","affected_versions":"<1.41.0|>=9.11.0+incompatible|>=10.4.0+incompatible|>=10.5.0+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-24T18:14:57Z","in_kev":false,"epss_prob":0.00337,"epss_percentile":0.56525,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41423","severity":"unknown","summary":"Mattermost Playbooks fails to properly validate permissions in github.com/mattermost/mattermost-plugin-playbooks","affected_versions":"<1.41.0|>=9.11.0+incompatible|>=10.4.0+incompatible|>=10.5.0+incompatible|<8.0.0-20250218121836-2b5275d87136","fixed_version":"8.0.0-20250218121836-2b5275d87136","source":"osv","published_at":"2025-04-24T18:14:57Z","in_kev":false,"epss_prob":0.00042,"epss_percentile":0.12727,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2527","severity":"unknown","summary":"Mattermost Fails to Verify User's Permissions When Accessing Groups in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.3+incompatible|<8.0.0-20250411064244-844447fbd57c","fixed_version":"8.0.0-20250411064244-844447fbd57c","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.0017,"epss_percentile":0.37912,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-31947","severity":"unknown","summary":"Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0+incompatible,<10.6.2+incompatible|<8.0.0-20250415054241-76ab3867b785","fixed_version":"8.0.0-20250415054241-76ab3867b785","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.0036,"epss_percentile":0.58196,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3446","severity":"unknown","summary":"Mattermost Fails to Validate Team Invite Permissions in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0+incompatible,<10.6.2+incompatible|<8.0.0-20250415054241-76ab3867b785","fixed_version":"8.0.0-20250415054241-76ab3867b785","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.00188,"epss_percentile":0.40455,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2570","severity":"unknown","summary":"Mattermost Fails to Check User Access to `ExperimentalSettings` in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.3+incompatible|<8.0.0-20250411064244-844447fbd57c","fixed_version":"8.0.0-20250411064244-844447fbd57c","source":"osv","published_at":"2025-05-23T15:17:19Z","in_kev":false,"epss_prob":0.00217,"epss_percentile":0.44193,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3913","severity":"unknown","summary":"Mattermost improperly allows team administrators to modify team invites in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250412152950-02c76784380a","fixed_version":"8.0.0-20250412152950-02c76784380a","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00282,"epss_percentile":0.51545,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3611","severity":"unknown","summary":"Mattermost fails to properly enforce access control restrictions for System Manager roles in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250414154356-6f33b721de76","fixed_version":"8.0.0-20250414154356-6f33b721de76","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00138,"epss_percentile":0.33458,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-2571","severity":"unknown","summary":"Mattermost fails to clear Google OAuth credentials in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250414095146-04676582cdd2","fixed_version":"8.0.0-20250414095146-04676582cdd2","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00173,"epss_percentile":0.38457,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-1792","severity":"unknown","summary":"Mattermost fails to properly enforce access controls for guest users in github.com/mattermost/mattermost-server","affected_versions":">=10.6.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250414110750-c23f44fe8ed0","fixed_version":"8.0.0-20250414110750-c23f44fe8ed0","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00138,"epss_percentile":0.33458,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3230","severity":"unknown","summary":"Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0-rc1+incompatible,<10.7.1+incompatible|<8.0.0-20250402193107-65343f84a783","fixed_version":"8.0.0-20250402193107-65343f84a783","source":"osv","published_at":"2025-06-03T17:58:02Z","in_kev":false,"epss_prob":0.00193,"epss_percentile":0.4103,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-4573","severity":"unknown","summary":"Mattermost allows authenticated administrator to execute LDAP search filter injection in github.com/mattermost/mattermost-server","affected_versions":">=10.7.0+incompatible,<10.7.2+incompatible|<8.0.0-20250414112942-77892234944b","fixed_version":"8.0.0-20250414112942-77892234944b","source":"osv","published_at":"2025-06-11T17:45:49Z","in_kev":false,"epss_prob":0.00207,"epss_percentile":0.43036,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-4128","severity":"unknown","summary":"Mattermost allows guest users to view information about public teams they are not members of in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.5+incompatible|<8.0.0-20250422131222-701ddc896a10","fixed_version":"8.0.0-20250422131222-701ddc896a10","source":"osv","published_at":"2025-06-11T17:45:49Z","in_kev":false,"epss_prob":0.00128,"epss_percentile":0.31832,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-4981","severity":"unknown","summary":"Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250519205859-65aec10162f6","fixed_version":"8.0.0-20250519205859-65aec10162f6","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.0169,"epss_percentile":0.82298,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3228","severity":"unknown","summary":"Mattermost allows an unauthorized Guest user access to Playbook in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250520060012-d0380305ef7a","fixed_version":"8.0.0-20250520060012-d0380305ef7a","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00183,"epss_percentile":0.39807,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-3227","severity":"unknown","summary":"Mattermost allows unauthorized channel member management through playbook runs in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250520060012-d0380305ef7a","fixed_version":"8.0.0-20250520060012-d0380305ef7a","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.0017,"epss_percentile":0.38014,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-46702","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250513065225-4ae5d647fb88","fixed_version":"8.0.0-20250513065225-4ae5d647fb88","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00075,"epss_percentile":0.2248,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47871","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.1+incompatible|<8.0.0-20250513065225-4ae5d647fb88","fixed_version":"8.0.0-20250513065225-4ae5d647fb88","source":"osv","published_at":"2025-07-28T19:57:13Z","in_kev":false,"epss_prob":0.00068,"epss_percentile":0.20834,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6227","severity":"unknown","summary":"Mattermost has Insufficiently Protected Credentials in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.8+incompatible|<8.0.0-20250612074655-8f8612c63783","fixed_version":"8.0.0-20250612074655-8f8612c63783","source":"osv","published_at":"2025-07-29T18:49:33Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13901,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6226","severity":"unknown","summary":"Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.2+incompatible|<8.0.0-20250520130510-fa40a8c5d47f","fixed_version":"8.0.0-20250520130510-fa40a8c5d47f","source":"osv","published_at":"2025-07-29T18:49:33Z","in_kev":false,"epss_prob":0.0007,"epss_percentile":0.21377,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-6233","severity":"unknown","summary":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.8.0+incompatible,<10.8.2+incompatible|<8.0.0-20250529054450-d38c27f96fcf","fixed_version":"8.0.0-20250529054450-d38c27f96fcf","source":"osv","published_at":"2025-07-29T18:49:33Z","in_kev":false,"epss_prob":0.00101,"epss_percentile":0.27631,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-53971","severity":"unknown","summary":"Mattermost Fails to Properly Validate Team Role Modification in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.9+incompatible|<8.0.0-20250721095846-c602a4a78e1f","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11557,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-49810","severity":"unknown","summary":"Mattermost Lack of Access Control Validation in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.9+incompatible|<8.0.0-20250721095846-c602a4a78e1f","fixed_version":"8.0.0-20250721095846-c602a4a78e1f","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08541,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47870","severity":"unknown","summary":"Mattermost Does Not Sanitize the Team Invite ID in github.com/mattermost/mattermost-server","affected_versions":">=10.9.0+incompatible,<10.9.3+incompatible|<8.0.0-20250708065844-b38e2eccda18","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.12025,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-47700","severity":"unknown","summary":"Mattermost Server SSRF Vulnerability via the Agents Plugin in github.com/mattermost/mattermost-server","affected_versions":">=10.5.0+incompatible,<10.5.10+incompatible|<8.0.0-20250814075248-83a37a861d3c","fixed_version":"8.0.0-20250814075248-83a37a861d3c","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.00033,"epss_percentile":0.09592,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-8023","severity":"unknown","summary":"Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server","affected_versions":">=10.9.0+incompatible,<10.9.3+incompatible|<8.0.0-20250708065844-b38e2eccda18","fixed_version":"8.0.0-20250708065844-b38e2eccda18","source":"osv","published_at":"2025-08-29T14:52:20Z","in_kev":false,"epss_prob":0.00056,"epss_percentile":0.1749,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9072","severity":"unknown","summary":"Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.10.0+incompatible,<10.10.2+incompatible|<8.0.0-20250731063404-9eebaadf8f72","fixed_version":"8.0.0-20250731063404-9eebaadf8f72","source":"osv","published_at":"2025-09-17T17:03:49Z","in_kev":false,"epss_prob":0.00031,"epss_percentile":0.08864,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9078","severity":"unknown","summary":"Mattermost makes Use of Weak Hash in github.com/mattermost/mattermost-server","affected_versions":">=10.10.0+incompatible,<10.10.2+incompatible|<8.0.0-20250718075842-cd87e5c87737","fixed_version":"8.0.0-20250718075842-cd87e5c87737","source":"osv","published_at":"2025-09-17T17:03:49Z","in_kev":false,"epss_prob":0.00022,"epss_percentile":0.0606,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9079","severity":"unknown","summary":"Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.10.0+incompatible,<10.10.2+incompatible|<8.0.0-20250707221302-a8fa77f107ef","fixed_version":"8.0.0-20250707221302-a8fa77f107ef","source":"osv","published_at":"2025-09-24T19:21:37Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15791,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-9081","severity":"unknown","summary":"Mattermost boards plugin fails to restrict download access to files in github.com/mattermost/mattermost-plugin-boards","affected_versions":"<0.0.0-20250716054606-3f3e3becfe1d|>=10.5.0-rc1+incompatible,<10.5.9+incompatible|<8.0.0-20250721095935-11c36f4d1e44","fixed_version":"8.0.0-20250721095935-11c36f4d1e44","source":"osv","published_at":"2025-09-24T19:21:41Z","in_kev":false,"epss_prob":0.00011,"epss_percentile":0.01481,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-10545","severity":"unknown","summary":"Mattermost has an Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible,<10.11.3+incompatible|<8.0.0-20250820115038-ff30b84049f0","fixed_version":"8.0.0-20250820115038-ff30b84049f0","source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":8e-05,"epss_percentile":0.00804,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-58073","severity":"unknown","summary":"Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible,<10.11.2+incompatible|<8.0.0-20250807174701-e14175eb6539","fixed_version":"8.0.0-20250807174701-e14175eb6539","source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":0.00046,"epss_percentile":0.14053,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-54499","severity":"unknown","summary":"Mattermost has an Observable Timing Discrepancy vulnerability in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible,<10.11.3+incompatible|<8.0.0-20250728063359-38208b8f065f","fixed_version":"8.0.0-20250728063359-38208b8f065f","source":"osv","published_at":"2025-10-30T15:02:33Z","in_kev":false,"epss_prob":0.00032,"epss_percentile":0.09172,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11777","severity":"unknown","summary":"Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost","affected_versions":">=10.11.0+incompatible,<10.11.4+incompatible|<8.0.0-20251212204551-54f2e9b4afd5","fixed_version":"8.0.0-20251212204551-54f2e9b4afd5","source":"osv","published_at":"2025-11-17T19:11:25Z","in_kev":false,"epss_prob":0.00027,"epss_percentile":0.07621,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11776","severity":"unknown","summary":"Mattermost fails to properly restrict access to archived channel search API in github.com/mattermost/mattermost","affected_versions":"<8.0.0-20250815165020-c8d66301415d","fixed_version":"8.0.0-20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-17T19:11:25Z","in_kev":false,"epss_prob":0.00039,"epss_percentile":0.11613,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55070","severity":"unknown","summary":"Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server","affected_versions":"<11.1.0+incompatible|<8.0.0-20250912063506-7d8b7b5e4a60","fixed_version":"8.0.0-20250912063506-7d8b7b5e4a60","source":"osv","published_at":"2025-11-17T19:11:25Z","in_kev":false,"epss_prob":0.00148,"epss_percentile":0.34986,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-55073","severity":"unknown","summary":"Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server","affected_versions":">=10.12.0+incompatible,<10.12.1+incompatible|<8.0.0-20250929212932-a41db04d2746","fixed_version":"8.0.0-20250929212932-a41db04d2746","source":"osv","published_at":"2025-11-18T15:34:32Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13795,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-11794","severity":"unknown","summary":"Mattermost allows system administrators to access password hashes and MFA secrets in github.com/mattermost/mattermost-server","affected_versions":">=10.12.0+incompatible,<10.12.1+incompatible|<8.0.0-20250929212932-a41db04d2746","fixed_version":"8.0.0-20250929212932-a41db04d2746","source":"osv","published_at":"2025-11-18T15:34:32Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.1335,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-41436","severity":"unknown","summary":"Mattermost allows regular users to access archived channel content and files in github.com/mattermost/mattermost-server","affected_versions":"<11.0.0-alpha.1+incompatible|<8.0.0-20250815165020-c8d66301415d","fixed_version":"8.0.0-20250815165020-c8d66301415d","source":"osv","published_at":"2025-11-18T15:34:32Z","in_kev":false,"epss_prob":0.00029,"epss_percentile":0.08326,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12419","severity":"unknown","summary":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20251028000919-d3ed703dc833","fixed_version":"8.0.0-20251028000919-d3ed703dc833","source":"osv","published_at":"2025-12-15T20:33:49Z","in_kev":false,"epss_prob":0.00081,"epss_percentile":0.23662,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12559","severity":"unknown","summary":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20251015091448-abbf01b9db45","fixed_version":"8.0.0-20251015091448-abbf01b9db45","source":"osv","published_at":"2025-12-15T20:33:49Z","in_kev":false,"epss_prob":0.00037,"epss_percentile":0.10987,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-12421","severity":"unknown","summary":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server","affected_versions":"<8.0.0-20251022210333-acda1fb5dd46","fixed_version":"8.0.0-20251022210333-acda1fb5dd46","source":"osv","published_at":"2025-12-15T20:33:49Z","in_kev":false,"epss_prob":0.00081,"epss_percentile":0.23662,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13870","severity":"unknown","summary":"Mattermost fails to validate user permissions in Boards in github.com/mattermost/mattermost","affected_versions":">=10.11.0+incompatible,<10.11.5+incompatible|<8.0.0-20251212204551-54f2e9b4afd5","fixed_version":"8.0.0-20251212204551-54f2e9b4afd5","source":"osv","published_at":"2025-12-08T21:31:36Z","in_kev":false,"epss_prob":0.00048,"epss_percentile":0.14913,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13352","severity":"unknown","summary":"Mattermost GitHub Plugin Bot Identity Validation Bypass Allows Arbitrary GitHub Reaction Injection in github.com/mattermost/mattermost","affected_versions":">=11.0.0-alpha.1+incompatible,<11.1.0+incompatible|<1.0.1-0.20250829075715-0deffcfc6bee|>=10.11.0-rc1+incompatible","fixed_version":"1.0.1-0.20250829075715-0deffcfc6bee","source":"osv","published_at":"2025-12-22T18:15:35Z","in_kev":false,"epss_prob":0.00084,"epss_percentile":0.24256,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-62690","severity":"unknown","summary":"Mattermost has missing redirect URL validation in github.com/mattermost/mattermost","affected_versions":">=10.11.0-rc1+incompatible,<11.1.0+incompatible|>=8.0.0-20250721062209-4952acea88ce,<8.0.0-20251016131338-dad6bd7a1509","fixed_version":"8.0.0-20251016131338-dad6bd7a1509","source":"osv","published_at":"2026-01-14T19:15:43Z","in_kev":false,"epss_prob":0.00051,"epss_percentile":0.15948,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13324","severity":"unknown","summary":"Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation in github.com/mattermost/mattermost","affected_versions":">=11.0.0-alpha.1+incompatible,<11.0.4+incompatible|<11.0.4+incompatible|<8.0.0-20251031095924-e7e23b94e006","fixed_version":"8.0.0-20251031095924-e7e23b94e006","source":"osv","published_at":"2025-12-30T01:49:57Z","in_kev":false,"epss_prob":0.00054,"epss_percentile":0.16764,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14273","severity":"unknown","summary":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira","affected_versions":"<8.0.0-20251121122154-b57c297c6d7a","fixed_version":"8.0.0-20251121122154-b57c297c6d7a","source":"osv","published_at":"2026-01-12T17:39:39Z","in_kev":false,"epss_prob":0.00141,"epss_percentile":0.33953,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-0999","severity":"unknown","summary":"Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251212052346-61651b0df7ea","fixed_version":"8.0.0-20251212052346-61651b0df7ea","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16019,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14350","severity":"unknown","summary":"Mattermost fails to properly validate team membership when processing channel mentions in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251209134645-761e56bb11cc","fixed_version":"8.0.0-20251209134645-761e56bb11cc","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.0004,"epss_percentile":0.11988,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-14573","severity":"unknown","summary":"Mattermost fails to enforce invite permissions when updating team settings in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251215190648-6404ab29acc0","fixed_version":"8.0.0-20251215190648-6404ab29acc0","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.0003,"epss_percentile":0.08571,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-13821","severity":"unknown","summary":"Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server","affected_versions":">=10.11.0+incompatible|>=11.1.0+incompatible|>=11.2.0+incompatible|<8.0.0-20251210191531-cd17b61de41b","fixed_version":"8.0.0-20251210191531-cd17b61de41b","source":"osv","published_at":"2026-02-23T18:23:12Z","in_kev":false,"epss_prob":0.00044,"epss_percentile":0.13415,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25783","severity":"unknown","summary":"Mattermost fails to properly validate User-Agent header tokens in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260129181235-1346cf529aef","fixed_version":"8.0.0-20260129181235-1346cf529aef","source":"osv","published_at":"2026-03-26T20:33:02Z","in_kev":false,"epss_prob":0.0008,"epss_percentile":0.23377,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2456","severity":"unknown","summary":"Mattermost fails to limit the size of responses from integration action endpoints in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260127165411-fe3052073dc6","fixed_version":"8.0.0-20260127165411-fe3052073dc6","source":"osv","published_at":"2026-03-26T20:33:02Z","in_kev":false,"epss_prob":0.00042,"epss_percentile":0.12636,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2458","severity":"unknown","summary":"Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260113182106-a18b80ba4c32","fixed_version":"8.0.0-20260113182106-a18b80ba4c32","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00034,"epss_percentile":0.10059,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24458","severity":"unknown","summary":"Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260129164748-7201f42d955f","fixed_version":"8.0.0-20260129164748-7201f42d955f","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.0006,"epss_percentile":0.18752,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2457","severity":"unknown","summary":"Mattermost allows attackers to spoof permalink embeds in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260123211116-9efe617be8b8","fixed_version":"8.0.0-20260123211116-9efe617be8b8","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00019,"epss_percentile":0.05356,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-25780","severity":"unknown","summary":"Mattermost fails to bound memory allocation when processing DOC files in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260123215601-86797c508c44","fixed_version":"8.0.0-20260123215601-86797c508c44","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00052,"epss_percentile":0.16245,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2578","severity":"unknown","summary":"Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260127062706-c6b205f0d770","fixed_version":"8.0.0-20260127062706-c6b205f0d770","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00037,"epss_percentile":0.11032,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2463","severity":"unknown","summary":"Mattermost fails to filter invite IDs based on user permissions in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260105134819-cc427af41b2a","fixed_version":"8.0.0-20260105134819-cc427af41b2a","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00028,"epss_percentile":0.07902,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-21386","severity":"unknown","summary":"Mattermost fails to use consistent error responses when handling the /mute command in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260130144323-5bb5261c72fa","fixed_version":"8.0.0-20260130144323-5bb5261c72fa","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00037,"epss_percentile":0.11032,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-24692","severity":"unknown","summary":"Mattermost fails to properly enforce read permissions in search API endpoints in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260107142155-0481bd1fb045","fixed_version":"8.0.0-20260107142155-0481bd1fb045","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00028,"epss_percentile":0.07902,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-2455","severity":"unknown","summary":"Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260129133647-5d787969c2d5","fixed_version":"8.0.0-20260129133647-5d787969c2d5","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00034,"epss_percentile":0.10059,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-4265","severity":"unknown","summary":"Mattermost fails to validate team-specific upload_file permissions in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260107144005-c7f6efdfb035","fixed_version":"8.0.0-20260107144005-c7f6efdfb035","source":"osv","published_at":"2026-03-23T18:14:47Z","in_kev":false,"epss_prob":0.00029,"epss_percentile":0.08341,"threat_tier":"theoretical"},{"vuln_id":"CVE-2026-22545","severity":"unknown","summary":"Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server","affected_versions":">=11.3.0-rc1+incompatible,<11.3.1+incompatible|<8.0.0-20260127144908-ced9a56e3988","fixed_version":"8.0.0-20260127144908-ced9a56e3988","source":"osv","published_at":"2026-03-23T18:16:14Z","in_kev":false,"epss_prob":0.00045,"epss_percentile":0.13923,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":1},"versions":{"latest":"v5.39.3","total_count":393,"recent":["v5.17.0-rc3","v5.25.3-rc1","v5.0.3-rc1","v5.9.0-rc4","v5.3.0-rc4","v5.20.2-rc1","v5.34.2","v5.17.0-rc4","v5.31.1","v5.20.0-rc1","v5.6.0","v5.6.2-rc1","v5.37.0","v5.18.0-rc2","v5.37.1","v5.0.0-rc3","v5.19.3","v5.7.0-rc6","v5.18.0","v5.2.1-rc1"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":1198,"first_published":null,"last_published":"2021-12-15T17:40:34Z","dependencies_count":0,"dependencies":[]},"bundle":null,"typescript":null,"known_issues":{"bugs_count":34,"bugs_severity":{"medium":33,"low":1},"status_breakdown":{"fixed":30,"open":4},"link":"/api/bugs/go/github.com/mattermost/mattermost-server/v5?version=v5.39.3","scope":"version","details":[{"title":"Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira","severity":"medium","status":"fixed","affected_version":null,"fixed_version":"8.0.0-20251121122154-b57c297c6d7a","url":"https://github.com/advisories/GHSA-qvmc-92vg-6r35"},{"title":"Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","affected_version":null,"fixed_version":"8.0.0-20251022210333-acda1fb5dd46","url":"https://github.com/advisories/GHSA-mp6x-97xj-9x62"},{"title":"Mattermost fails to sanitize team email addresses in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","affected_version":null,"fixed_version":"8.0.0-20251015091448-abbf01b9db45","url":"https://github.com/advisories/GHSA-4g87-9x45-cx2h"},{"title":"Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","affected_version":null,"fixed_version":"8.0.0-20251028000919-d3ed703dc833","url":"https://github.com/advisories/GHSA-3x39-62h4-f8j6"},{"title":"Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server","severity":"medium","status":"fixed","affected_version":null,"fixed_version":"5.1.0","url":"https://github.com/advisories/GHSA-5mh6-p63g-3mv5"}]},"historical_compromise":null,"recommendation":{"action":"safe_to_use","issues":[],"use_version":"v5.39.3","version_hint":"Update to >= 8.0.0-20260127144908-ced9a56e3988 to fix known vulnerabilities","summary":"github.com/mattermost/mattermost-server/v5@v5.39.3 is safe to use (health: 43/100)"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false}}