Vulnerabilities > Mattermost > High

DATE CVE VULNERABILITY TITLE RISK
2025-03-21 CVE-2025-25068 Missing Authentication for Critical Function vulnerability in Mattermost Server
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
network
low complexity
mattermost CWE-306
8.8
2025-03-21 CVE-2025-25274 Command Injection vulnerability in Mattermost Server
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
network
low complexity
mattermost CWE-77
8.8
2024-09-16 CVE-2024-39613 Uncontrolled Search Path Element vulnerability in Mattermost Desktop
Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.
local
low complexity
mattermost CWE-427
7.8
2024-08-22 CVE-2024-40886 Cross-Site Request Forgery (CSRF) vulnerability in Mattermost
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to sanitize user inputs in the frontend that are used for redirection which allows for a one-click client-side path traversal that is leading to CSRF in User Management page of the system console.
network
low complexity
mattermost CWE-352
8.8
2024-08-22 CVE-2024-8071 Unspecified vulnerability in Mattermost
Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role (e.g.
network
low complexity
mattermost
7.2
2024-08-01 CVE-2024-39832 Improper Check for Unusual or Exceptional Conditions vulnerability in Mattermost
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.
network
low complexity
mattermost CWE-754
8.7
2024-08-01 CVE-2024-41144 Unspecified vulnerability in Mattermost Server
Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled,  which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels
network
low complexity
mattermost
7.1
2024-03-15 CVE-2024-2450 Missing Authentication for Critical Function vulnerability in Mattermost Server
Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions.
network
low complexity
mattermost CWE-306
8.8
2023-12-29 CVE-2023-7114 Path Traversal vulnerability in Mattermost
Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.
network
low complexity
mattermost CWE-22
8.8
2023-12-12 CVE-2023-45316 Path Traversal vulnerability in Mattermost Server
Mattermost fails to validate if a relative path is passed in /plugins/playbooks/api/v0/telemetry/run/<telem_run_id> as a telemetry run ID, allowing an attacker to use a path traversal payload that points to a different endpoint leading to a CSRF attack.
network
low complexity
mattermost CWE-22
8.8