Search Results (452 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-20036 1 Mattermost 1 Mattermost Mobile 2025-09-25 6.5 Medium
Mattermost Mobile Apps versions <=2.22.0 fail to properly validate post props which allows a malicious authenticated user to cause a crash via a malicious post.
CVE-2025-53910 1 Mattermost 2 Confluence, Mattermost 2025-09-25 4 Medium
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API call to the edit channel subscription endpoint.
CVE-2025-53857 1 Mattermost 2 Confluence, Mattermost 2025-09-25 3.7 Low
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint.
CVE-2025-53514 1 Mattermost 2 Confluence, Mattermost 2025-09-25 5.9 Medium
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.
CVE-2025-48731 1 Mattermost 2 Confluence, Mattermost 2025-09-25 6.4 Medium
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint.
CVE-2025-44004 1 Mattermost 2 Confluence, Mattermost 2025-09-25 7.2 High
Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint.
CVE-2025-52931 1 Mattermost 2 Confluence, Mattermost 2025-09-25 7.5 High
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body.
CVE-2025-44001 1 Mattermost 2 Confluence, Mattermost 2025-09-25 4 Medium
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint.
CVE-2025-49221 1 Mattermost 2 Confluence, Mattermost 2025-09-24 3.7 Low
Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint.
CVE-2024-11358 2 Google, Mattermost 3 Android, Mattermost, Mattermost Mobile 2025-09-24 5.7 Medium
Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.
CVE-2025-0476 1 Mattermost 1 Mattermost Mobile 2025-09-24 4.3 Medium
Mattermost Mobile Apps versions <=2.22.0 fail to properly handle specially crafted attachment names, which allows an attacker to crash the mobile app for any user who opened a channel containing the specially crafted attachment
CVE-2025-20072 1 Mattermost 2 Mattermost, Mattermost Mobile 2025-09-24 6.5 Medium
Mattermost Mobile versions <= 2.22.0 fail to properly validate the style of proto supplied to an action's style in post.props.attachments, which allows an attacker to crash the mobile via crafted malicious input.
CVE-2025-20630 1 Mattermost 1 Mattermost Mobile 2025-09-24 6.5 Medium
Mattermost Mobile versions <=2.22.0 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the mobile to crash via creating and sending such a post to a channel.
CVE-2025-30516 1 Mattermost 1 Mattermost Mobile 2025-09-24 2 Low
Mattermost Mobile Apps versions <=2.25.0  fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mobile notifications
CVE-2025-54463 1 Mattermost 2 Confluence, Mattermost 2025-09-24 5.9 Medium
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body.
CVE-2025-54478 1 Mattermost 2 Confluence, Mattermost 2025-09-24 7.2 High
Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint.
CVE-2025-54525 1 Mattermost 2 Confluence, Mattermost 2025-09-24 7.5 High
Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body.
CVE-2025-8285 1 Mattermost 2 Confluence, Mattermost 2025-09-24 4 Medium
Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint.
CVE-2025-9076 1 Mattermost 2 Mattermost, Mattermost Server 2025-09-20 6.5 Medium
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instances with shared channels enabled.
CVE-2025-9072 1 Mattermost 2 Mattermost, Mattermost Server 2025-09-17 7.6 High
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craft a malicious link that, once a user authenticates with their SAML provider, could post the user’s cookies to an attacker-controlled URL.