Mattermost Desktop
Approved changes feed: RSS · Atom
cpe:2.3:a:mattermost:mattermost_desktop:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Mattermost (ed0788ef-af60-58f1-b6aa-68289d9946dc) |
|---|---|
| Product | Mattermost Desktop (4a43fdaf-9c08-57c4-b718-be7fc51efdb0) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/mattermost/desktop |
purl2cpe | 2026-06-01 10:18:19.798665 |
pkg:sourceforge/mattermost-desktop.mirror |
purl2cpe | 2026-06-01 10:18:19.798667 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-1628 |
vulnerable | 2026-06-03 15:14:44.801257 |
Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.
MEDIUM (4.6)
Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596
Published: 2026-03-02T13:24:21.391Z
Updated: 2026-03-02T14:58:30.546Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-1046 |
vulnerable | 2026-06-03 15:14:43.671083 |
Arbitrary application execution via unvalidated server-controlled URLs in Help menu
HIGH (7.6)
Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577
Published: 2026-02-16T12:10:38.668Z
Updated: 2026-02-17T17:05:58.569Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-58084 |
vulnerable | 2026-06-03 15:06:20.621539 |
Mattermost Desktop App crashes when clicking on malformed external URL
LOW (3.5)
Mattermost Desktop App versions <= 5.13.0 fail to validate URLs external to the configured Mattermost servers, allowing an attacker on a server the user has configured to crash the user's application by sending the user a malformed URL.
Published: 2025-10-13T19:57:23.997Z
Updated: 2025-10-14T14:28:52.930Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-55035 |
vulnerable | 2026-06-03 15:04:57.550662 |
Mattermost Desktop DoS when user has basic authentication server configured
MEDIUM (6.1)
Mattermost Desktop App versions <=5.13.0 fail to manage modals in the Mattermost Desktop App that stops a user with a server that uses basic authentication from accessing their server which allows an attacker that provides a malicious server to the user to deny use of the Desktop App via having the user configure the malicious server and forcing a modal popup that cannot be closed.
Published: 2025-10-16T15:18:25.389Z
Updated: 2025-10-16T16:28:05.951Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-1398 |
vulnerable | 2026-06-03 14:59:05.354682 |
macOS TCC Bypass via Code Injection
LOW (3.3)
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.
Published: 2025-03-17T14:19:51.718Z
Updated: 2025-03-31T15:38:58.774Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13326 |
vulnerable | 2026-06-03 14:58:45.898856 |
Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store
LOW (3.9)
Mattermost Desktop App versions <6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder.
Published: 2025-12-17T18:14:14.131Z
Updated: 2025-12-17T19:29:30.738Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13321 |
vulnerable | 2026-06-03 14:58:45.891525 |
Mattermost Desktop App logging sensitive information and fails to clear data on server deletion
LOW (3.3)
Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.
Published: 2025-12-17T18:14:12.745Z
Updated: 2025-12-17T19:29:49.378Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-45835 |
vulnerable | 2026-06-03 14:56:59.080412 |
Insufficient Electron Fuses Configuration
LOW (2.5)
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse other misconfigurations via remote/local access.
Published: 2024-09-16T14:27:47.636Z
Updated: 2024-09-16T14:42:39.152Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39772 |
vulnerable | 2026-06-03 14:56:22.386071 |
Silent Desktop Screenshot Capture
LOW (3.7)
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs.
Published: 2024-09-16T14:27:47.103Z
Updated: 2024-09-16T14:42:19.953Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39613 |
vulnerable | 2026-06-03 14:56:22.040298 |
RCE in desktop app in Windows by local attacker
MEDIUM (5.3)
Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able to put an cmd.exe file in the Downloads folder of a user's machine to cause remote code execution on that machine.
Published: 2024-09-16T06:40:58.501Z
Updated: 2024-09-16T13:05:12.477Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-37182 |
vulnerable | 2026-06-03 14:56:06.008479 |
Lack of permissions prompting when opening external URLs
MEDIUM (4.7)
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force a victim over the Internet to run arbitrary programs on the victim's system via custom URI schemes.
Published: 2024-06-14T08:39:19.578Z
Updated: 2024-08-02T03:50:55.403Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-36287 |
vulnerable | 2026-06-03 14:56:03.877604 |
Bypass of TCC restrictions on macOS
LOW (3.8)
Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.
Published: 2024-06-14T08:39:08.132Z
Updated: 2024-08-02T03:37:03.683Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5920 |
vulnerable | 2026-06-03 14:53:49.935681 |
Lack Of Secure Keyboard Entry Protection in MacOS Desktop
LOW (2.9)
Mattermost Desktop for MacOS fails to utilize the secure keyboard input functionality provided by macOS, allowing for other processes to read the keyboard input.
Published: 2023-11-02T08:34:30.659Z
Updated: 2025-02-27T20:36:12.934Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5876 |
vulnerable | 2026-06-03 14:53:49.843924 |
Regex DoS from a malicious server enrolled in Desktop
LOW (3.1)
Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.
Published: 2023-11-02T08:26:01.611Z
Updated: 2024-09-05T18:12:06.794Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5875 |
vulnerable | 2026-06-03 14:53:49.843563 |
Lack of Hardening against media exploitation from a remote origin
LOW (3.7)
Mattermost Desktop fails to correctly handle permissions or prompt the user for consent on certain sensitive ones allowing media exploitation from a malicious mattermost server
Published: 2023-11-02T08:27:05.082Z
Updated: 2024-09-05T18:12:33.829Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-5339 |
vulnerable | 2026-06-03 14:53:48.303349 |
Mattermost Desktop logs all keystrokes during initial run after fresh installation
MEDIUM (4.7)
Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged.
Published: 2023-10-17T09:30:41.612Z
Updated: 2024-09-05T19:46:10.145Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-2000 |
vulnerable | 2026-06-03 14:51:41.913208 |
Unrestricted navigation due to unvalidated mattermost server redirection
MEDIUM (5.4)
Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website
Published: 2023-05-02T08:57:39.331Z
Updated: 2024-12-06T23:04:35.557Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-14456 |
vulnerable | 2026-06-03 14:41:43.840036 |
Details available
An issue was discovered in Mattermost Desktop App before 4.4.0. The Same Origin Policy is mishandled during access-control decisions for web APIs, aka MMSA-2020-0006.
Published: 2020-06-19T13:12:30.000Z
Updated: 2024-08-04T12:46:34.475Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-14455 |
vulnerable | 2026-06-03 14:41:43.839642 |
Details available
An issue was discovered in Mattermost Desktop App before 4.4.0. Prompting for HTTP Basic Authentication is mishandled, allowing phishing, aka MMSA-2020-0007.
Published: 2020-06-19T13:11:32.000Z
Updated: 2024-08-04T12:46:34.559Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-14454 |
vulnerable | 2026-06-03 14:41:43.839150 |
Details available
An issue was discovered in Mattermost Desktop App before 4.4.0. Attackers can open web pages in the desktop application because server redirection is mishandled, aka MMSA-2020-0008.
Published: 2020-06-19T13:10:48.000Z
Updated: 2024-08-04T12:46:34.571Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20861 |
vulnerable | 2026-06-03 14:40:17.754226 |
Details available
An issue was discovered in Mattermost Desktop App before 4.2.2. It allows attackers to execute arbitrary code via a crafted link.
Published: 2020-06-19T14:16:54.000Z
Updated: 2024-08-05T02:53:09.448Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-20856 |
vulnerable | 2026-06-03 14:40:17.746297 |
Details available
An issue was discovered in Mattermost Desktop App before 4.3.0 on macOS. It allows dylib injection.
Published: 2020-06-19T14:07:21.000Z
Updated: 2024-08-05T02:53:09.422Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-21265 |
vulnerable | 2026-06-03 14:38:40.613975 |
Details available
An issue was discovered in Mattermost Desktop App before 4.0.0. It mishandled the Same Origin Policy for setPermissionRequestHandler (e.g., video, audio, and notifications).
Published: 2020-06-19T16:51:42.000Z
Updated: 2024-08-05T12:26:39.571Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2016-11064 |
vulnerable | 2026-06-03 14:35:30.318593 |
Details available
An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection.
Published: 2020-06-19T19:22:33.000Z
Updated: 2024-08-06T03:47:34.939Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.