Vulnerabilidades em Mattermost

438 resultados
Análise Vexday

Com 434 CVEs catalogadas e nenhuma entrada confirmada no catálogo CISA KEV, o Mattermost apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que indica risco operacional imediato relativamente contido. No entanto, o volume de 60 vulnerabilidades surgidas nos últimos 90 dias merece atenção, sinalizando um ritmo elevado de descoberta recente. A falha mais comum é CWE-863 (autorização incorreta), padrão que tende a permitir acesso não autorizado a recursos e funcionalidades, e que exige revisão cuidadosa de controles de acesso nas implementações. A CVE mais perigosa atualmente identificada, CVE-2025-25279, registra escore EPSS de 0,2081 — o mais alto observado no portfólio — e, embora ainda sem exploração confirmada, deve ser priorizada dado o risco potencial de aproveitamento próximo.

CVE-2026-5308MEDIUMMissing request body size limits on Zoom plugin HTTP endpointsEPSS 0.3%CVE-2024-9155MEDIUMInsufficient Authorization On Unlinked Channel FilesEPSS 0.3%CVE-2026-4646MEDIUMInsufficient input validation in GitHub plugin API causes denial of serviceEPSS 0.3%CVE-2025-9081LOWIDOR in board file download allows any user to download any file by UUIDEPSS 0.3%CVE-2026-4858HIGHPath traversal in integration action URL leading to arbitrary API execution via system admin’s auth token.EPSS 0.2%CVE-2024-48872MEDIUMBypass of "Max failed attempts" restriction via race conditionEPSS 0.2%CVE-2025-54499LOWInsecure string comparison enables timing attacksEPSS 0.2%CVE-2024-47145LOWUnauthorized access on archived channels via file linksEPSS 0.2%CVE-2024-23319LOWCSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)EPSS 0.2%CVE-2025-3228MEDIUMUnauthorized Guest user access to PlaybookEPSS 0.2%CVE-2026-5755MEDIUMDenial of service via crafted TIFF file uploadEPSS 0.2%CVE-2024-29215MEDIUMSlash commands run in channel without channel membership via playbook task commandsEPSS 0.2%CVE-2024-43813MEDIUMIDOR when marking read a user's channelEPSS 0.2%CVE-2025-11794MEDIUMPassword hash and MFA secret returned in user email verification endpointEPSS 0.2%CVE-2026-4054MEDIUMSVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of serviceEPSS 0.2%CVE-2025-9076MEDIUMMattermost Server exposes sensitive user credentials during shared channel membership synchronizationEPSS 0.2%CVE-2024-31859MEDIUMMember promoted to channel admin via playbooks run linking to channelEPSS 0.2%CVE-2025-12689MEDIUMDoS in Calls plugin via malformed UTF-8 in WebSocket requestEPSS 0.2%CVE-2026-6340MEDIUMMemory Exhaustion via Malicious 7zip File UploadEPSS 0.2%CVE-2026-2325MEDIUMImproper Input Validation in MS Teams Meetings API HandlerEPSS 0.2%