github.com/mattermost/mattermost-server vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-4915Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't filter nil elements from outgoing webhook attachment payloads before processingCVE-2026-28735Mediumgithub.com/mattermost/mattermost-server: Mattermost allows authenticated users to gain access to private repositoriesCVE-2026-5308Highgithub.com/mattermost/mattermost-server: Mattermost doesn't enforce request body size limits on plugin HTTP endpointsCVE-2026-3473Highgithub.com/mattermost/mattermost-server: Mattermost doesn't validate file ownership and access controlCVE-2026-5740Highgithub.com/mattermost/mattermost-server: Mattermost doesn't properly validate msgpack-encoded WebSocket frames before memory allocationCVE-2026-4646Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't validate user-supplied input in API request handlersCVE-2026-4635Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't archive the channel before removing persistent notificationsCVE-2026-3636Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't sanitize team member data when returned via API to users without elevated…CVE-2026-5755Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't validate the TIFF IFD offset in the image header before allocating memoryCVE-2026-4858Highgithub.com/mattermost/mattermost-server: Mattermost has a Path Traversal issueCVE-2026-6347Highgithub.com/mattermost/mattermost-server: Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin CVE-2026-5163Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't verify channel membership when processing AI-assisted message rewritesCVE-2026-6339Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpointCVE-2026-6333Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate the Host header when constructing response URLs for custom slash commandCVE-2026-6345Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't prevent disclosure of created user passwordCVE-2026-6346Highgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't sanitize sensitive configuration fields before including them in support packet…CVE-2026-28732Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't enforce slash command trigger-word uniqueness during command updatesCVE-2026-4273Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate that the RefreshedToken differs from the original invite token during…CVE-2026-6340Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't validate 7zip archive structure before processingCVE-2026-6334Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't enforce client identity binding during the OAuth authorization code redemption…CVE-2026-28759Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost does not verify remote cluster channel access when processing shared channel membership…CVE-2026-2325Mediumgithub.com/mattermost/mattermost-server: Mattermost doesn't limit the size of the request body on the start meeting API endpointCVE-2026-3495Lowgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't escape some variables that could contain malicious content during error page…CVE-2026-3637Mediumgithub.com/mattermost/mattermost/server/v8: Mattermost doesn't check the create_post channel permission during post edit operationsCVE-2026-4053Lowgithub.com/mattermost/mattermost-server: Mattermost doesn't enforce the PostEditTimeLimit on non-message post fields

Stop the waste.
Protect your environment with Kodem.