Known Vulnerabilities for products from Mattermost

Listed below are 20 of the newest known vulnerabilities associated with the vendor "Mattermost".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-53837 json Not Provided 2026-06-12 2026-06-15
CVE-2026-46548 json Not Provided 2026-06-23 2026-06-24
CVE-2026-45003 json Not Provided 2026-05-11 2026-05-11
CVE-2026-28759 json Not Provided 2026-05-18 2026-05-18
CVE-2026-28741 json Mattermost versions 10.11.x <= 10.11.12, 11.5.x <= 11.5.0, 11.4.x <= 11.4.2, 11.3.x <= 11.3.2 fail to validate CSRF tokens on... Not Provided 2026-04-15 2026-04-22
CVE-2026-28736 json ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This all... Not Provided 2026-04-03 2026-04-28
CVE-2026-28732 json Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word unique... Not Provided 2026-05-18 2026-05-19
CVE-2026-27769 json Mattermost versions 10.11.x <= 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspac... Not Provided 2026-04-15 2026-04-22
CVE-2026-25773 json ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic ... Not Provided 2026-04-03 2026-04-28
CVE-2026-24661 json Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows a... Not Provided 2026-04-09 2026-04-17
CVE-2026-22880 json Not Provided 2026-05-21 2026-05-21
CVE-2026-21388 json Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows a... Not Provided 2026-04-09 2026-04-25
CVE-2026-13426 json Not Provided 2026-06-26 2026-06-26
CVE-2026-10106 json Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify that the channel referenced in an ... Not Provided 2026-07-13 2026-07-13
CVE-2026-10103 json Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to verify post ownership in the shared chann... Not Provided 2026-07-13 2026-07-14
CVE-2026-10085 json Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict the group_constrained channel fl... Not Provided 2026-07-13 2026-07-14
CVE-2026-9824 json Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permissi... Not Provided 2026-07-13 2026-07-13
CVE-2026-9820 json Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint... Not Provided 2026-07-13 2026-07-13
CVE-2026-9708 json Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate that an assigned incoming webhoo... Not Provided 2026-07-13 2026-07-13
CVE-2026-9597 json Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4 fail to verify whether a guest account is deactivated before creating ... Not Provided 2026-07-13 2026-07-13

Known software with vulnerabilities from Mattermost

Type Vendor Product Version
ApplicationMattermostMattermost-
ApplicationMattermostMattermost Desktop3.4.0
ApplicationMattermostMattermost Mobile1.26.0
ApplicationMattermostMattermost Packages5.16.3
ApplicationMattermostMattermost Plugins5.13.0
ApplicationMattermostMattermost Server0.5.0
ApplicationMattermostServer5.19.0
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report