Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10110
Total
681
Critical
2907
High
3176
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6346 | HIGH | 8.7 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which … | May 18, 2026 |
| CVE-2026-6345 | MEDIUM | 6.5 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate … | May 18, 2026 |
| CVE-2026-6343 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public … | May 18, 2026 |
| CVE-2026-6339 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member … | May 18, 2026 |
| CVE-2026-6333 | LOW | 3.5 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an … | May 18, 2026 |
| CVE-2026-5163 | MEDIUM | 6.5 | Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of … | May 18, 2026 |
| CVE-2026-4643 | LOW | 3.5 | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows … | May 18, 2026 |
| CVE-2026-4286 | LOW | 3.1 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook … | May 18, 2026 |
| CVE-2026-3471 | MEDIUM | 6.5 | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which … | May 18, 2026 |
| CVE-2026-3117 | MEDIUM | 6.5 | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to … | May 18, 2026 |
| CVE-2026-28732 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated … | May 18, 2026 |
| CVE-2026-8788 | UNKNOWN | — | Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated … | May 18, 2026 |
| CVE-2026-6342 | MEDIUM | 4.3 | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were … | May 18, 2026 |
| CVE-2026-6341 | MEDIUM | 4.3 | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which … | May 18, 2026 |
| CVE-2026-6340 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to … | May 18, 2026 |
| CVE-2026-6334 | LOW | 3.1 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated … | May 18, 2026 |
| CVE-2026-4273 | LOW | 3.7 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation … | May 18, 2026 |
| CVE-2026-3637 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an … | May 18, 2026 |
| CVE-2026-3495 | LOW | 3.8 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an … | May 18, 2026 |
| CVE-2026-2325 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API … | May 18, 2026 |
| CVE-2026-28759 | MEDIUM | 4.3 | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing … | May 18, 2026 |
| CVE-2026-6495 | HIGH | 7.1 | The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a … | May 18, 2026 |
| CVE-2026-6381 | HIGH | 7.5 | The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform … | May 18, 2026 |
| CVE-2026-6379 | HIGH | 8.6 | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing … | May 18, 2026 |
| CVE-2026-3220 | HIGH | 8.8 | The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting … | May 18, 2026 |