CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20086 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20086
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21083 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-21083
15 Jan 2025 — Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20036 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20036
15 Jan 2025 — Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21088 – WebApp crash via improper validation of proto style in attachments
https://notcve.org/view.php?id=CVE-2025-21088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. • https://mattermost.com/security-updates • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22445 – Misleading UI for undefined admin console settings in Calls causes security confusion
https://notcve.org/view.php?id=CVE-2025-22445
09 Jan 2025 — Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20033 – DoS via custom post type for sysconsole plugin readers
https://notcve.org/view.php?id=CVE-2025-20033
09 Jan 2025 — Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22449 – Access control flaw for team admins allows unauthorized team additions
https://notcve.org/view.php?id=CVE-2025-22449
09 Jan 2025 — Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11358 – Insecure Android File Provider Paths
https://notcve.org/view.php?id=CVE-2024-11358
16 Dec 2024 — Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider. • https://mattermost.com/security-updates • CWE-284: Improper Access Control •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-54682 – Zipbomb DoS via Missing Slack Import Validation
https://notcve.org/view.php?id=CVE-2024-54682
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. • https://mattermost.com/security-updates • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-54083 – DoS via lack of type validation in Calls
https://notcve.org/view.php?id=CVE-2024-54083
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels,... • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •