github.com/mattermost/mattermost/server/v8 vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-4915Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't filter nil elements from outgoing webhook attachment payloads before processingCVE-2026-5740Highgithub.com/mattermost/mattermost-server: Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocationCVE-2026-4055Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost has an Incorrect Authorization issueCVE-2026-5163Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't verify channel membership when processing AI-assisted message rewritesCVE-2026-6343Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't check public/private permissionsCVE-2026-6339Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpointCVE-2026-6333Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate the Host header when constructing response URLs for custom slash commandCVE-2026-6345Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't prevent disclosure of created user passwordCVE-2026-6346Highgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't sanitize sensitive configuration fields before including them in support packet…CVE-2026-28732Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't enforce slash command trigger-word uniqueness during command updatesCVE-2026-4286Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't check if {{team_id}} was being changed when updating playbooksCVE-2026-4273Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate that the RefreshedToken differs from the original invite token during…CVE-2026-6340Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate 7zip archive structure before processingCVE-2026-6334Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption…CVE-2026-28759Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost does not verify remote cluster channel access when processing shared channel membership…CVE-2026-3495Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't escape some variables that could contain malicious content during error page…CVE-2026-3637Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't check the create_post channel permission during post edit operationsCVE-2026-3590Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens…CVE-2026-28741Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate CSRF tokens on an authentication endpointCVE-2026-3112Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost allows system administrators to read arbitrary host files via malicious…CVE-2026-3114Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate decompressed archive entry sizes during file extractionCVE-2026-3108Highgithub.com/mattermost/mattermost/server/v8: Mattermost allows attackers to manipulate administrator terminals via crafted messages containing…CVE-2026-3115Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility…CVE-2026-4274Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost has an Incorrect Authorization issueCVE-2026-27656Mediumgithub.com/mattermost/mattermost-server: Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring…

Stop the waste.
Protect your environment with Kodem.