pkg:Go/github.com/mattermost/mattermost/server/v8

All known vulnerabilities

• CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251022210333-acda1fb5dd46
• CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251022210333-acda1fb5dd46
• CRITICAL9.9Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251028000919-d3ed703dc833
• CRITICAL9.9Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251028000919-d3ed703dc833
• CRITICAL9.9Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250519205859-65aec10162f6
• CRITICAL9.9Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250519205859-65aec10162f6
• CRITICAL9.9Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250122165010-4ed702ccff4e
• CRITICAL9.9Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250122165010-4ed702ccff4e
• CRITICAL9.9Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250122165010-4ed702ccff4e
• CRITICAL9.9Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250122165010-4ed702ccff4e
• HIGH8.7Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
  >= 11.5.0, < 11.5.2
• HIGH8.7Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
  >= 9.9.0, < 9.9.1
• HIGH8.7Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
  from 0
• HIGH8.7Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
  >= 9.5.0, < 9.5.7
• HIGH8.7Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
  from 0
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250807174701-e14175eb6539
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250815100400-2d5cdc6e217e
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250807174701-e14175eb6539
• HIGH8.0Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences
  >= 11.4.0-rc1, < 11.4.1
• HIGH8.0Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250707221302-a8fa77f107ef
• HIGH8.0Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250707221302-a8fa77f107ef
• HIGH7.6Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250731063404-9eebaadf8f72
• HIGH7.6Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250731063404-9eebaadf8f72
• HIGH7.5Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20260129164748-7201f42d955f
• HIGH7.5Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20260129164748-7201f42d955f
• HIGH7.5Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
  from 0
• HIGH7.5Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
  >= 10.4.0, < 10.4.3
• HIGH7.4Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
  from 0
• HIGH7.4Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
  >= 9.5.0, < 9.5.7
• HIGH7.2Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
  from 0, < 8.0.0-20251121122154-b57c297c6d7a
• HIGH7.2Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
  from 0, < 8.0.0-20251121122154-b57c297c6d7a
• HIGH7.1Mattermost Injection vulnerability
  from 0, < 8.1.5
• MEDIUM6.8Mattermost doesn't validate CSRF tokens on an authentication endpoint
  >= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20260220133927-c29cf05d40f8
• MEDIUM6.8Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration
  >= 11.4.0-rc1, < 11.4.1
• MEDIUM6.8Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250708065844-b38e2eccda18
• MEDIUM6.8Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250708065844-b38e2eccda18
• MEDIUM6.8Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.8Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250708173752-d6b35c41f0ae5
• MEDIUM6.8Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250619095651-9dd0b3943e55
• MEDIUM6.8Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.8Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250529054450-d38c27f96fcf
• MEDIUM6.8Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250529054450-d38c27f96fcf
• MEDIUM6.8Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.8Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
  >= 9.5.0, < 9.5.7
• MEDIUM6.5Mattermost doesn't prevent disclosure of created user password
  >= 11.5.0, < 11.5.2
• MEDIUM6.5Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
  >= 11.5.0, < 11.5.2
• MEDIUM6.5Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
  >= 8.0.0-20250721062209-4952acea88ce, < 8.0.0-20250723052842-4cb8d8940332
• MEDIUM6.5Mattermost doesn't validate decompressed archive entry sizes during file extraction
  >= 11.4.0, < 11.4.1
• MEDIUM6.5Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250912063506-7d8b7b5e4a60
• MEDIUM6.5Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250912063506-7d8b7b5e4a60
• MEDIUM6.5Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250729073403-517ae758cd02
• MEDIUM6.5Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.5Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250520130510-fa40a8c5d47f
• MEDIUM6.5Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250520130510-fa40a8c5d47f
• MEDIUM6.5Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
  from 0, < 8.0.0-20250218121836-2b5275d87136
• MEDIUM6.5Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
  from 0
• MEDIUM6.5Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
  from 0
• MEDIUM6.5Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
  from 0, < 8.0.0-20250218121836-2b5275d87136
• MEDIUM6.5Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
  >= 10.2.0, < 10.2.1
• MEDIUM6.5Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20241127161322-25ff7a3779a5
• MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20241127161322-25ff7a3779a5
• MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
  >= 10.2.0, < 10.2.1
• MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
  >= 10.2.0, < 10.2.1
• MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20241127161322-25ff7a3779a5
• MEDIUM6.5Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20241127161322-25ff7a3779a5
• MEDIUM6.5Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
  >= 10.2.0, < 10.2.1
• MEDIUM6.5Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.5Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
  >= 10.1.0, < 10.1.3
• MEDIUM6.5Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
  >= 10.1.0, < 10.1.3
• MEDIUM6.5Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.5Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.5Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
  >= 8.1.0, < 8.1.11
• MEDIUM6.5Mattermost Incorrect Authorization vulnerability
  >= 8.1.0, < 8.1.1
• MEDIUM6.5Mattermost Uncontrolled Resource Consumption vulnerability
  >= 8.1.0, < 8.1.1
• MEDIUM6.0Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.0Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server
  >= 9.5.0, < 9.5.8
• MEDIUM5.8Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
  >= 10.6.0, < 10.6.2
• MEDIUM5.8Mattermost Fails to Lockout LDAP Users After Repeated Login Failures in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250415054241-76ab3867b785
• MEDIUM5.7Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw
  >= 8.0.0-20260105080200-d27a2195068d, < 8.0.0-20260217110922-b7d4a1f1f59b
• MEDIUM5.7Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251210191531-cd17b61de41b
• MEDIUM5.7Mattermost fails to sanitize sensitive data in WebSocket messages in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251210191531-cd17b61de41b
• MEDIUM5.5Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
  >= 9.5.0, < 9.5.7
• MEDIUM5.5Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server
  from 0
• MEDIUM5.4Mattermost has an Incorrect Authorization issue
  >= 11.4.0-rc1, < 11.4.1
• MEDIUM5.4Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251212052346-61651b0df7ea
• MEDIUM5.4Mattermost fails to properly validate login method restrictions in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20251212052346-61651b0df7ea
• MEDIUM5.4Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250929212932-a41db04d2746
• MEDIUM5.4Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250929212932-a41db04d2746
• MEDIUM5.4Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0
• MEDIUM5.4Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250822083415-01b95392a450
• MEDIUM5.4Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250513065225-4ae5d647fb88
• MEDIUM5.4Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250513065225-4ae5d647fb88
• MEDIUM5.4Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
  >= 10.7.0-rc1, < 10.7.1
• MEDIUM5.4Mattermost fails to properly invalidate personal access tokens upon user deactivation in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250402193107-65343f84a783
• MEDIUM5.4Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
  >= 10.5.0, < 10.5.2
• MEDIUM5.4Mattermost vulnerable to Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250220161544-fd356b62b4dd
• MEDIUM5.4Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
  >= 10.4.0, < 10.4.3
• MEDIUM5.4Mattermost allows members with permission to convert public channels to private and convert private to public in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20250218135018-e644e3c8e393
• MEDIUM5.4Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server
  from 0, < 8.0.0-20240806094731-69a8b3df0f9f