Vulnerabilities in Mattermost
434 resultsCVE-2022-4045LOWAuthenticated user could send multiple requests containing a parameter which could fetch a large amount of data and can crash a Mattermost serverEPSS 0.6%CVE-2024-2450HIGHMattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownEPSS 0.6%CVE-2025-20033MEDIUMDoS via custom post type for sysconsole plugin readersEPSS 0.6%CVE-2024-54083MEDIUMDoS via lack of type validation in CallsEPSS 0.6%CVE-2025-20630MEDIUMMobile crash via object that can't be cast to String in Attachment FieldEPSS 0.6%CVE-2023-2193MEDIUMOauth authorization codes do not expire when deauthorizing an oauth2 appEPSS 0.6%CVE-2021-37864LOWUsers can view the contents of an archived channel when access is explicitly denied by the system adminEPSS 0.6%CVE-2024-47003LOWDoS via non-string message using permalink embedEPSS 0.6%CVE-2025-20051CRITICALArbitrary file read via block duplication in Mattermost BoardsEPSS 0.6%CVE-2023-5196MEDIUMDoS via Channel Notification PropertiesEPSS 0.6%CVE-2024-28949MEDIUMDoS via a large number of User PreferencesEPSS 0.6%CVE-2023-2793MEDIUMStack exhaustion in PreparePostForClientWithEmbedsAndImagesEPSS 0.6%CVE-2024-4182MEDIUMMattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom statEPSS 0.6%CVE-2022-1548LOWPlaybook members are allowed to escalate their membership privileges and perform actions restricted to playbook admins.EPSS 0.5%CVE-2023-2514MEDIUMDB username/password revealed in application logsEPSS 0.5%CVE-2023-1775MEDIUMUnsanitized events sent over Websocket to regular users in a High Availability environmentEPSS 0.5%CVE-2025-20088MEDIUMInsufficient Input Validation on Post PropsEPSS 0.5%CVE-2023-2787MEDIUMCollapsed Reply Threads APIs leak message contents from private channelsEPSS 0.5%CVE-2025-21088MEDIUMWebApp crash via improper validation of proto style in attachmentsEPSS 0.5%CVE-2022-2366MEDIUMIncorrect defaults can cause attackers to bypass rate limitationsEPSS 0.5%