CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-24526 – Channel export permitted on archived channel when viewing archived channels is disabled
https://notcve.org/view.php?id=CVE-2025-24526
24 Feb 2025 — Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived cha... • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 3.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0503 – Leaked User IDs and Metadata of Deleted DMs
https://notcve.org/view.php?id=CVE-2025-0503
14 Feb 2025 — Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database. • https://mattermost.com/security-updates • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20621 – Webapp crash via object that can't be cast to String in Attachment Field
https://notcve.org/view.php?id=CVE-2025-20621
16 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20088 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-20086 – Insufficient Input Validation on Post Props
https://notcve.org/view.php?id=CVE-2025-20086
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21088 – WebApp crash via improper validation of proto style in attachments
https://notcve.org/view.php?id=CVE-2025-21088
15 Jan 2025 — Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the frontend via crafted malicious input. • https://mattermost.com/security-updates • CWE-704: Incorrect Type Conversion or Cast •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-20033 – DoS via custom post type for sysconsole plugin readers
https://notcve.org/view.php?id=CVE-2025-20033
09 Jan 2025 — Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22449 – Access control flaw for team admins allows unauthorized team additions
https://notcve.org/view.php?id=CVE-2025-22449
09 Jan 2025 — Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public. • https://mattermost.com/security-updates • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-54682 – Zipbomb DoS via Missing Slack Import Validation
https://notcve.org/view.php?id=CVE-2024-54682
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin. • https://mattermost.com/security-updates • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-54083 – DoS via lack of type validation in Calls
https://notcve.org/view.php?id=CVE-2024-54083
16 Dec 2024 — Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post. Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels,... • https://mattermost.com/security-updates • CWE-1287: Improper Validation of Specified Type of Input •