Vulnerabilities in Mattermost
434 resultsCVE-2024-39839MEDIUMRemote username set to an arbitrary string by remote userEPSS 0.3%CVE-2024-39353LOWRemoteClusterFrame payloads are audit logged in fullEPSS 0.3%CVE-2023-5194LOWA system/user manager can demote / deactivate another managerEPSS 0.3%CVE-2024-1888MEDIUMExisting server guests invited to the team by members without "invite_guest" permissionEPSS 0.3%CVE-2024-29221MEDIUMInvite ID available to team admins even without the "Add Members" permissionEPSS 0.3%CVE-2023-4105LOWAttachment of deleted message in a thread remains accessible and downloadable EPSS 0.3%CVE-2024-1887MEDIUMPublic channel post content accessible without membership when compliance export is enabledEPSS 0.3%CVE-2023-5875LOWLack of Hardening against media exploitation from a remote originEPSS 0.3%CVE-2026-2462MEDIUMAdmin RCE via Malicious Plugin Upload on CI Test InstancesEPSS 0.3%CVE-2026-5740HIGHUnauthenticated WebSocket binary frame causes denial of service in Mattermost ServerEPSS 0.3%CVE-2024-45833MEDIUMMobile password gets saved in dictionary under conditionsEPSS 0.3%CVE-2023-2784MEDIUMApps Framework allows install requests from regular members via an internal pathEPSS 0.3%CVE-2023-50333LOWLack of restriction to manage group names for freshly demoted guestsEPSS 0.3%CVE-2023-5331MEDIUMFile Information Leak via IDOR in file_id in Draft PostsEPSS 0.3%CVE-2025-14822LOWDoS from quadratic complexity in model.ParseHashtagsEPSS 0.3%CVE-2023-6547LOWPlaybooks access/modification by removed team memberEPSS 0.3%CVE-2023-3614MEDIUMDenial of Service via specially crafted gif imageEPSS 0.3%CVE-2025-25068HIGHBypassing MFA Enforcement on Plugin EndpointsEPSS 0.3%CVE-2023-1774MEDIUMUnauthorized email invite to a private channelEPSS 0.3%CVE-2025-35965MEDIUMDoS in Mattermost Playbooks via Excessive Task ActionsEPSS 0.3%