Vulnerabilidades em Mattermost

438 resultados
Análise Vexday

Com 434 CVEs catalogadas e nenhuma entrada confirmada no catálogo CISA KEV, o Mattermost apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que indica risco operacional imediato relativamente contido. No entanto, o volume de 60 vulnerabilidades surgidas nos últimos 90 dias merece atenção, sinalizando um ritmo elevado de descoberta recente. A falha mais comum é CWE-863 (autorização incorreta), padrão que tende a permitir acesso não autorizado a recursos e funcionalidades, e que exige revisão cuidadosa de controles de acesso nas implementações. A CVE mais perigosa atualmente identificada, CVE-2025-25279, registra escore EPSS de 0,2081 — o mais alto observado no portfólio — e, embora ainda sem exploração confirmada, deve ser priorizada dado o risco potencial de aproveitamento próximo.

CVE-2026-22892MEDIUMInsufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post AttachmentsEPSS 0.2%CVE-2024-32945LOWLaTeX post content manipulation via renderer state leak across contextsEPSS 0.2%CVE-2025-1412LOWSession Persistence After User-to-Bot ConversionEPSS 0.2%CVE-2025-24866LOWUnauthorized Access to User Activity Logs API by delegated granular administration rolesEPSS 0.2%CVE-2025-4573MEDIUMLDAP Injection in Mattermost Enterprise Edition When Using Active DirectoryEPSS 0.2%CVE-2026-1046HIGHArbitrary application execution via unvalidated server-controlled URLs in Help menuEPSS 0.2%CVE-2025-0503LOWLeaked User IDs and Metadata of Deleted DMsEPSS 0.2%CVE-2023-3586MEDIUM Disabling publicly-shared boards does not disable existing publicly available board linksEPSS 0.2%CVE-2025-1472MEDIUMUnauthorized View Access to Site Statistics and Team StatisticsEPSS 0.2%CVE-2025-49221LOWUnauthenticated Access to Channel Subscription in Mattermost Confluence PluginEPSS 0.2%CVE-2026-3115MEDIUMGuest users can view group member IDs without respecting view restrictionsEPSS 0.2%CVE-2026-6345MEDIUMPrevent password disclosure and force reset during Slack importEPSS 0.2%CVE-2026-8823LOWUser Manager can demote bot accounts to guest without bot-management permissionEPSS 0.2%CVE-2024-32045MEDIUMPlaybook run link to private channel grants channel accessEPSS 0.2%CVE-2025-41423LOWUnauthorized Playbooks Post Deletion in Mattermost Playbooks PluginEPSS 0.2%CVE-2025-2564MEDIUMUnauthorized View Access to Archived Channel Member InfoEPSS 0.2%CVE-2026-3117MEDIUMInstance and webhook GitLab plugin commands were able to be run by non-admin usersEPSS 0.2%CVE-2025-14273HIGHMattermost Jira plugin user spoofing enables Jira request forgery.EPSS 0.2%CVE-2025-31363LOWData exfiltration via AI plugin Jira toolEPSS 0.2%CVE-2025-54478HIGHUnauthenticated Channel Subscription Edit in Mattermost Confluence PluginEPSS 0.2%