Vulnerabilities in Mattermost

438 results

Vexday analysis

Com 434 CVEs catalogadas e nenhuma entrada confirmada no catálogo CISA KEV, o Mattermost apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que indica risco operacional imediato relativamente contido. No entanto, o volume de 60 vulnerabilidades surgidas nos últimos 90 dias merece atenção, sinalizando um ritmo elevado de descoberta recente. A falha mais comum é CWE-863 (autorização incorreta), padrão que tende a permitir acesso não autorizado a recursos e funcionalidades, e que exige revisão cuidadosa de controles de acesso nas implementações. A CVE mais perigosa atualmente identificada, CVE-2025-25279, registra escore EPSS de 0,2081 — o mais alto observado no portfólio — e, embora ainda sem exploração confirmada, deve ser priorizada dado o risco potencial de aproveitamento próximo.

CVE-2025-24526MEDIUMChannel export permitted on archived channel when viewing archived channels is disabledEPSS 0.3%CVE-2025-58084LOWMattermost Desktop App crashes when clicking on malformed external URLEPSS 0.3%CVE-2024-50052MEDIUMArbitrary post deletion via Playbooks /ignore-thread endpointEPSS 0.3%CVE-2025-27936MEDIUMWebhook Secret Exposure via Timing attack in MSteams pluginEPSS 0.3%CVE-2025-22449LOWAccess control flaw for team admins allows unauthorized team additionsEPSS 0.3%CVE-2026-3108HIGHTerminal Escape Injection in mmctl Report Posts CommandEPSS 0.3%CVE-2026-25780MEDIUMMemory Exhaustion via Malformed DOC File UploadEPSS 0.3%CVE-2024-1949LOWA race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized accEPSS 0.3%CVE-2025-55070MEDIUMLack of MFA enforcement in WebSocket connectionsEPSS 0.3%CVE-2025-3913MEDIUMTeam Privacy Settings Authorization Bypass in Mattermost ServerEPSS 0.3%CVE-2025-53514MEDIUMUnexpected Input to Server Webhook endpoint Causes DoS in Mattermost Confluence PluginEPSS 0.3%CVE-2026-24458HIGHDoS attack via login attempts with multi-megabyte passwordsEPSS 0.3%CVE-2024-39836MEDIUMMunged email address used for password resets and notificationsEPSS 0.3%CVE-2024-34152MEDIUMPlaybook Run Metadata leak to GuestEPSS 0.3%CVE-2024-36241LOW/playbook add slash command allows viewing arbitrary post contentsEPSS 0.3%CVE-2026-6739MEDIUMMattermost: Delegated admins could patch protected default system rolesEPSS 0.3%CVE-2025-2527MEDIUMImproper access control to group informationEPSS 0.3%CVE-2026-6347HIGHMattermost Calls plugin exposes TURN server credentials in plaintext in support packetsEPSS 0.3%CVE-2026-7184MEDIUMMattermost Remote Cluster PATCH API Leaks Authentication TokensEPSS 0.3%CVE-2023-3613LOWGuest accounts invited and added to channels by Welcomebot pluginEPSS 0.3%

← previouspage 13 / 22next →