pkg:Go/github.com/mattermost/mattermost-server

所有已知漏洞

• CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
  from 0
• CRITICAL9.9CVE-2025-12421Mattermost fails to to verify the token used during code exchange in github.com/mattermost/mattermost-server
  >= 11.0.0, < 11.0.3
• CRITICAL9.9CVE-2025-12419Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
  from 0
• CRITICAL9.9Mattermost fails to properly validate OAuth state tokens during OpenID Connect authentication in github.com/mattermost/mattermost-server
  >= 10.12.0, < 10.12.2
• CRITICAL9.9Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
  from 0, < 0.0.0-20250519205859-65aec10162f6
• CRITICAL9.9Mattermost allows authenticated users to write files to arbitrary locations in github.com/mattermost/mattermost-server
  from 0, < 0.0.0-20250519205859-65aec10162f6, >= 9.11.0+incompatible, < 9.11.16+incompatible, >= 10.5.0+incompatible, < 10.5.6+incompatible, >= 10.6.0+incompatible, < 10.6.6+incompatible, >= 10.7.0+incompatible, < 10.7.3+incompatible, >= 10.8.0+incompatible, < 10.8.1+incompatible
• CRITICAL9.9Mattermost allows reading arbitrary files related to importing boards in github.com/mattermost/mattermost-server
  >= 9.11.0-rc1+incompatible, < 9.11.8+incompatible, >= 10.2.0-rc1+incompatible, < 10.2.3+incompatible, >= 10.3.0-rc1+incompatible, < 10.3.3+incompatible, >= 10.4.0-rc1+incompatible, < 10.4.2+incompatible
• CRITICAL9.9Mattermost allows reading arbitrary files in github.com/mattermost/mattermost-server
  >= 9.11.0-rc1+incompatible, < 9.11.8+incompatible, >= 10.2.0-rc1+incompatible, < 10.2.3+incompatible, >= 10.3.0-rc1+incompatible, < 10.3.3+incompatible, >= 10.4.0-rc1+incompatible, < 10.4.2+incompatible
• CRITICAL9.8Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server
  >= 3.7.0+incompatible, < 3.7.5+incompatible, >= 3.8.0+incompatible, < 3.8.2+incompatible
• CRITICAL9.8Mattermost Server server restarts may provide attackers with API access in github.com/mattermost/mattermost-server
  from 0, < 3.6.7-0.20170420152529-0968e4079e0a
• CRITICAL9.8Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server
  from 0, < 3.10.3
• CRITICAL9.8Mattermost Server password reset email requests can be sent to attacker-provided email addresses in github.com/mattermost/mattermost-server
  from 0, < 3.9.1-rc1
• CRITICAL9.8Mattermost Server password reset email requests can be sent to attacker-provided email addresses in github.com/mattermost/mattermost-server
  from 0, < 3.9.1-rc1+incompatible, >= 3.10.0+incompatible, < 3.10.1+incompatible
• CRITICAL9.8Mattermost Server is vulnerable CSV Injection in github.com/mattermost/mattermost-server
  from 0, < 3.10.3+incompatible, >= 4.0.0+incompatible, < 4.0.3+incompatible
• CRITICAL9.8Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server
  from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
• CRITICAL9.8Mattermost Server is vulnerable to SQL Injection when executing multiple POST requests in github.com/mattermost/mattermost-server
  from 0, < 4.1.2
• CRITICAL9.8Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server
  from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
• CRITICAL9.8Mattermost Server allows attackers to gain privileges by accessing unintended API endpoints with users' credentials in github.com/mattermost/mattermost-server
  from 0, < 4.1.2
• CRITICAL9.1Mattermost Server has X.509 Improper Certificate Validation in github.com/mattermost/mattermost-server
  from 0, < 3.6.7-rc1
• CRITICAL9.1Mattermost Server has X.509 Improper Certificate Validation in github.com/mattermost/mattermost-server
  from 0, < 3.6.7-rc1+incompatible, >= 3.7.0+incompatible, < 3.7.5+incompatible, >= 3.8.0+incompatible, < 3.8.2+incompatible
• HIGH8.8Mattermost Server vulnerable to CSRF if CORS is enabled in github.com/mattermost/mattermost-server
  from 0, < 3.9.2
• HIGH8.8Mattermost Server vulnerable to CSRF if CORS is enabled in github.com/mattermost/mattermost-server
  from 0, < 3.9.2+incompatible, >= 3.10.0+incompatible, < 3.10.2+incompatible
• HIGH8.8Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server
  from 0, < 4.1.2
• HIGH8.8Mattermost Server does not properly restrict use of slash commands in github.com/mattermost/mattermost-server
  from 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible
• HIGH8.8Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server
  from 0
• HIGH8.7Mattermost doesn't sanitize sensitive configuration fields before including them in support packet generation
  from 0, < 5.3.2-0.20260326202606-fac92f4a71f3
• HIGH8.7Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server
  >= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.1+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
• HIGH8.7Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server
  >= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  >= 10.11.0, < 10.11.2
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  >= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.10.0+incompatible, < 10.10.3+incompatible, >= 10.11.0+incompatible, < 10.11.2+incompatible
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  >= 10.11.0, < 10.11.2
• HIGH8.1Mattermost has a Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  >= 10.5.0+incompatible, < 10.5.11+incompatible, >= 10.10.0+incompatible, < 10.10.3+incompatible, >= 10.11.0+incompatible, < 10.11.2+incompatible
• HIGH8.1Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server
  >= 3.10.0+incompatible, < 3.10.2+incompatible
• HIGH8.1Mattermost Server vulnerable to user account takeover when Single Sign-On OAuth2 is used in github.com/mattermost/mattermost-server
  from 0, < 3.9.2-0.20170714134023-b17fca0d5ee7
• HIGH8.1Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server
  from 0, < 4.0.5
• HIGH8.1Mattermost Server has intermittent Authorization bypass for resource-owners in github.com/mattermost/mattermost-server
  from 0, < 4.0.5+incompatible, >= 4.1.0+incompatible, < 4.1.1+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.0+incompatible
• HIGH8.0Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  >= 10.8.0, < 10.8.4
• HIGH8.0Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.4+incompatible, >= 10.10.0+incompatible, < 10.10.2+incompatible
• HIGH7.6Mattermost doesn't sanitize sensitive configuration fields in the Mattermost Calls plugin
  >= 11.5.0, < 11.5.2
• HIGH7.6Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
  >= 10.10.0, < 10.10.2
• HIGH7.6Mattermost Open Redirect vulnerability in github.com/mattermost/mattermost-server
  >= 10.5.0+incompatible, < 10.5.10+incompatible, >= 10.9.0+incompatible, < 10.9.5+incompatible, >= 10.10.0+incompatible, < 10.10.2+incompatible
• HIGH7.5Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
  >= 10.11.0-rc1+incompatible, < 10.11.11+incompatible, >= 11.2.0-rc1+incompatible, < 11.2.3+incompatible, >= 11.3.0-rc1+incompatible, < 11.3.1+incompatible
• HIGH7.5Mattermost fails to properly handle very long passwords in github.com/mattermost/mattermost-server
  from 0, < 5.3.2-0.20260129164748-7201f42d955f
• HIGH7.5Mattermost Fails to Enforce MFA on Plugin Endpoints in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.9+incompatible, >= 10.3.0+incompatible, < 10.3.4+incompatible, >= 10.4.0+incompatible, < 10.4.3+incompatible, >= 10.5.0+incompatible, < 10.5.1+incompatible
• HIGH7.5Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server
  from 0, < 5.1.0
• HIGH7.5Mattermost Server is vulnerable to a Denial of Service attack through `invite_people` command in github.com/mattermost/mattermost-server
  from 0
• HIGH7.5Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server
  from 0
• HIGH7.5Mattermost Server SAML implementation does not require encryption or signature verification as default in github.com/mattermost/mattermost-server
  from 0, < 3.8.1-0.20170504181128-4f074fed0d65
• HIGH7.5Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server
  from 0, < 4.2.2
• HIGH7.5Mattermost Server vulnerable to Denial of Service through `@` character prefix inserted into JavaScript field names in github.com/mattermost/mattermost-server
  from 0, < 4.2.2+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.4+incompatible, >= 4.4.0-rc1+incompatible, < 4.4.5+incompatible, >= 4.5.0-rc1+incompatible, < 4.5.0+incompatible
• HIGH7.5Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server
  from 0
• HIGH7.5Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server
  from 0, < 3.0.0+incompatible
• HIGH7.5Mattermost Server: initial_load API exposes unnecessary information in github.com/mattermost/mattermost-server
  from 0, < 3.1.1
• HIGH7.5Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server
  from 0, < 3.2.0
• HIGH7.5Mattermost Server does not check if cookies are used over SSL in github.com/mattermost/mattermost-server
  from 0, < 3.0.0
• HIGH7.5Mattermost Server does not enforce rate limits on password change attempts in github.com/mattermost/mattermost-server
  from 0, < 3.2.0+incompatible
• HIGH7.4Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server
  >= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
• HIGH7.2Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira
  from 0
• MEDIUM6.8Mattermost is vulnerable to DoS due to infinite re-renders on API errors in github.com/mattermost/mattermost-server
  >= 10.11.0+incompatible, < 10.11.9+incompatible, >= 11.0.1+incompatible, < 11.0.7+incompatible, >= 11.1.0+incompatible, < 11.1.2+incompatible
• MEDIUM6.8Mattermost is vulnerable to DoS due to infinite re-renders on API errors in github.com/mattermost/mattermost-server
  >= 10.11.0, < 10.11.9
• MEDIUM6.8Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
  >= 10.8.0, < 10.8.4
• MEDIUM6.8Mattermost Fails to Sanitize Path Traversal Sequences in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.3+incompatible
• MEDIUM6.8Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.2+incompatible
• MEDIUM6.8Mattermost Fails to Validate File Paths in github.com/mattermost/mattermost-server
  >= 10.9.0, < 10.9.2
• MEDIUM6.8Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.18+incompatible, >= 10.5.0+incompatible, < 10.5.9+incompatible, >= 10.8.0+incompatible, < 10.8.4+incompatible, >= 10.9.0+incompatible, < 10.9.3+incompatible, >= 10.10.0+incompatible, < 10.10.1+incompatible
• MEDIUM6.8Mattermost Fails to Validate Remote Cluster Upload Sessions in github.com/mattermost/mattermost-server
  >= 10.8.0, < 10.8.4
• MEDIUM6.8Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.17+incompatible, >= 10.5.0+incompatible, < 10.5.8+incompatible, >= 10.7.0+incompatible, < 10.7.4+incompatible, >= 10.8.0+incompatible, < 10.8.2+incompatible
• MEDIUM6.8Mattermost Path Traversal vulnerability in github.com/mattermost/mattermost-server
  >= 10.8.0, < 10.8.2
• MEDIUM6.8Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server
  >= 9.5.0+incompatible, < 9.5.7+incompatible, >= 9.7.0+incompatible, < 9.7.6+incompatible, >= 9.8.0+incompatible, < 9.8.2+incompatible, >= 9.9.0+incompatible, < 9.9.1+incompatible
• MEDIUM6.5Mattermost doesn't verify channel membership when processing AI-assisted message rewrites
  from 0, < 5.3.2-0.20260401090745-f4d1abe7e8f5
• MEDIUM6.5Mattermost doesn't prevent disclosure of created user password
  from 0, < 5.3.2-0.20260311102650-3057ae7e83e9
• MEDIUM6.5Mattermost has session spoofing due to lack of single-use consumption of guest magic link tokens enforcement
  >= 10.11.0-rc1, < 10.11.13
• MEDIUM6.5Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
  from 0, < 11.1.0
• MEDIUM6.5Mattermost does not enforce MFA on WebSocket connections in github.com/mattermost/mattermost-server
  from 0, < 11.1.0+incompatible
• MEDIUM6.5Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  >= 10.10.0, < 10.10.2
• MEDIUM6.5Mattermost Missing Authorization vulnerability in github.com/mattermost/mattermost-server
  >= 10.10.0+incompatible, < 10.10.2+incompatible
• MEDIUM6.5Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
  >= 10.5.0, < 10.5.7
• MEDIUM6.5Mattermost Missing Authentication for Critical Function in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.17+incompatible, >= 10.5.0+incompatible, < 10.5.7+incompatible, >= 10.7.0+incompatible, < 10.7.4+incompatible, >= 10.8.0+incompatible, < 10.8.2+incompatible
• MEDIUM6.5Mattermost Playbooks fails to validate the uniqueness and quantity of task actions in github.com/mattermost/mattermost-plugin-playbooks
  >= 9.11.0+incompatible
• MEDIUM6.5Mattermost Playbooks fails to properly validate the props used by the RetrospectivePost custom post type in github.com/mattermost/mattermost-plugin-playbooks
  >= 9.11.0+incompatible
• MEDIUM6.5Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
• MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
• MEDIUM6.5Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
• MEDIUM6.5Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server
  >= 9.11.0+incompatible, < 9.11.6+incompatible, >= 10.0.0+incompatible, < 10.0.4+incompatible, >= 10.1.0+incompatible, < 10.1.4+incompatible, >= 10.2.0+incompatible, < 10.2.1+incompatible
• MEDIUM6.5Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server
  >= 9.5.0+incompatible, < 9.5.13+incompatible, >= 9.11.0+incompatible, < 9.11.5+incompatible, >= 10.0.0+incompatible, < 10.0.3+incompatible, >= 10.1.0+incompatible, < 10.1.3+incompatible
• MEDIUM6.5Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server
  >= 9.5.0+incompatible, < 9.5.13+incompatible, >= 9.11.0+incompatible, < 9.11.5+incompatible, >= 10.0.0+incompatible, < 10.0.3+incompatible, >= 10.1.0+incompatible, < 10.1.3+incompatible
• MEDIUM6.5Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server
  >= 9.3.0+incompatible, < 9.3.3+incompatible, >= 9.4.0+incompatible, < 9.4.4+incompatible, >= 9.5.0+incompatible, < 9.5.2+incompatible
• MEDIUM6.5Mattermost vulnerable to information disclosure
  >= 3.3.0, < 7.1.6
• MEDIUM6.5Denial of service in Mattermost
  from 0, < 7.1.4
• MEDIUM6.5Denial of service in Mattermost
  from 0, < 7.1.4
• MEDIUM6.5Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.5Uncontrolled Resource Consumption in Mattermost server
  >= 6.6.0, < 6.6.1
• MEDIUM6.5Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server
  from 0, < 3.0.2
• MEDIUM6.5Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server
  from 0, < 3.0.0
• MEDIUM6.5Mattermost Server's Session ID and Session Token are potentially compromised in github.com/mattermost/mattermost-server
  from 0, < 3.0.2+incompatible
• MEDIUM6.5Mattermost Server exposes sensitive information via its System Console UI in github.com/mattermost/mattermost-server
  from 0, < 3.0.0+incompatible
• MEDIUM6.5Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server
  from 0
• MEDIUM6.1Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server
  >= 3.10.0+incompatible, < 3.10.2+incompatible
• MEDIUM6.1Mattermost Server vulnerable to XSS via an uploaded file in github.com/mattermost/mattermost-server
  from 0, < 3.9.2
• MEDIUM6.1Mattermost Server vulnerable to XSS through channel headers in github.com/mattermost/mattermost-server
  from 0, < 3.9.2-0.20170714014920-312269ad0bd1