github.com/mattermost/mattermost-server
govv11.6.1+incompatibleMattermost is an open source platform for secure collaboration across the entire software development lifecycle..
License Apache-2.0permissive917 versions1198 maintainers0 deps36,306 weekly dl
mattermost/mattermost-server63
/ 100
Health
update required
github.com/mattermost/[email protected]+incompatible has vulnerabilities — update to latest
Update to >= 8.0.0-20260127144908-ced9a56e3988 to fix known vulnerabilities
- 4 high severity vulnerabilities
Health breakdown0 – 100
25/25
maintenance
10/20
popularity
0/25
security
15/15
maturity
13/15
community
Vulnerabilities
134
4 high22 medium108 low
Advisories (134)
| Severity | ID | Summary | Fixed in |
|---|---|---|---|
| medium | CVE-2025-32093 | Mattermost Fails to Restrict Certain Operations on System Admins | 8.0.0-20250227102013-aa4623a93199 |
| medium | CVE-2026-0999 | Mattermost fails to properly validate login method restrictions | 5.3.2-0.20251212052346-61651b0df7ea |
| medium | BIT-mattermost-2023-1777 | Mattermost vulnerable to information disclosure | 1.4.1-0.20230301145909-10be118d99a5 |
| low | CVE-2025-53971 | Mattermost Fails to Properly Validate Team Role Modification | 8.0.0-20250721095846-c602a4a78e1f |
| medium | CVE-2026-3113 | Mattermost doesn't set permissions on downloaded bulk export | 8.0.0-20260217110922-b7d4a1f1f59b |
| low | CVE-2025-6227 | Mattermost has Insufficiently Protected Credentials | 8.0.0-20250612074655-8f8612c63783 |
| medium | CVE-2025-14350 | Mattermost fails to properly validate team membership when processing channel mentions | 5.3.2-0.20251209134645-761e56bb11cc |
| high | CVE-2025-9072 | Mattermost Open Redirect vulnerability | 8.0.0-20250731063404-9eebaadf8f72 |
| medium | CVE-2025-6226 | Mattermost Missing Authentication for Critical Function | 8.0.0-20250520130510-fa40a8c5d47f |
| low | CVE-2025-55074 | Mattermost allows other users to determine when users had read channels via channel member objects | 8.0.0-20250905150616-ba86dfc5876b6 |
| medium | CVE-2025-9078 | Mattermost makes Use of Weak Hash | 8.0.0-20250718075842-cd87e5c87737 |
| low | CVE-2025-14573 | Mattermost fails to enforce invite permissions when updating team settings | 5.3.2-0.20251215190648-6404ab29acc0 |
| medium | CVE-2025-55073 | Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL | 8.0.0-20250929212932-a41db04d2746 |
| medium | CVE-2026-27656 | Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw | 8.0.0-20260217110922-b7d4a1f1f59b |
| medium | CVE-2025-36530 | Mattermost Fails to Validate File Paths | 8.0.0-20250619095651-9dd0b3943e55 |
| medium | BIT-mattermost-2025-27933 | Mattermost allows members with permission to convert public channels to private and convert private to public | 8.0.0-20250218135018-e644e3c8e393 |
| medium | CVE-2025-11776 | Mattermost fails to properly restrict access to archived channel search API | 5.3.2-0.20250815165020-c8d66301415d |
| high | CVE-2017-18912 | Mattermost Server allows an attacker to specify a full pathname of a log file | 3.7.4-0.20170404171331-0b5c0794fdcb |
| low | CVE-2025-11777 | Mattermost Incorrect Authorization vulnerability | 5.3.2-0.20250905150616-ba86dfc5876b |
| medium | CVE-2025-11794 | Mattermost allows system administrators to access password hashes and MFA secrets | 8.0.0-20250929212932-a41db04d2746 |
... and 114 more
Threat intelligence
1 likely exploited (EPSS ≥ 0.5)
Threat tier per vulnerability derived from CISA KEV catalog + FIRST.org EPSS scores.
Health History
Dependency Tree
License Audit
API access
Get this data programmatically — free, no authentication.
curl https://depscope.dev/api/check/go/github.com/mattermost/mattermost-serverLast updated · 2026-04-17T17:42:10Z