Vulnerabilidades en Mattermost

438 resultados
Análisis Vexday

Com 434 CVEs catalogadas e nenhuma entrada confirmada no catálogo CISA KEV, o Mattermost apresenta taxa de exploração ativa abaixo da média geral do catálogo, o que indica risco operacional imediato relativamente contido. No entanto, o volume de 60 vulnerabilidades surgidas nos últimos 90 dias merece atenção, sinalizando um ritmo elevado de descoberta recente. A falha mais comum é CWE-863 (autorização incorreta), padrão que tende a permitir acesso não autorizado a recursos e funcionalidades, e que exige revisão cuidadosa de controles de acesso nas implementações. A CVE mais perigosa atualmente identificada, CVE-2025-25279, registra escore EPSS de 0,2081 — o mais alto observado no portfólio — e, embora ainda sem exploração confirmada, deve ser priorizada dado o risco potencial de aproveitamento próximo.

CVE-2026-28735MEDIUMGitHub OAuth Scope ValidationEPSS 0.1%CVE-2026-6333LOWSSRF via Host Header Spoofing in Custom Slash CommandsEPSS 0.1%CVE-2026-1628MEDIUMMattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.EPSS 0.1%CVE-2026-28741MEDIUMCSRF Protection Bypass Allows Updating a User's Authentication MethodEPSS 0.1%CVE-2026-3113MEDIUMmmctl export download command doesn’t restrict permissions to created file to file ownerEPSS 0.1%CVE-2025-62690LOWOpen redirect in error page when link opened in new tabEPSS 0.1%CVE-2025-59480MEDIUMInadequate validation of SSO redirect credentials permits credential theftEPSS 0.1%CVE-2026-27659MEDIUMCSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpointEPSS 0.1%CVE-2024-11358MEDIUMInsecure Android File Provider PathsEPSS 0.1%CVE-2026-2299MEDIUMImproper Access Control in Mattermost Google Drive Plugin File Creation EndpointEPSS 0.1%CVE-2026-6334LOWOAuth authorization code client binding not enforced during token redemption in MattermostEPSS 0.1%CVE-2026-22880MEDIUMMobile SSO authentication flow allows credential theft via malicious serverEPSS 0.1%CVE-2026-6339MEDIUMMissing request origin validation on burn-on-read reveal endpointEPSS 0.1%CVE-2026-2457MEDIUMWebSocket Message Spoofing via Permalink Embed ManipulationEPSS 0.1%CVE-2026-4339MEDIUMSSRF via unvalidated attachment URLs in Mattermost Agents plugin MCP serverEPSS 0.1%CVE-2025-62190MEDIUMCSRF Allows Call Initiation and Message DeliveryEPSS 0.1%CVE-2025-13321LOWMattermost Desktop App logging sensitive information and fails to clear data on server deletionEPSS 0.1%CVE-2025-13326LOWMattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App StoreEPSS 0.1%