Mattermost Server
Approved changes feed: RSS · Atom
cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:*
part: a version: 11.4.0 update: *
| Vendor | Mattermost (ed0788ef-af60-58f1-b6aa-68289d9946dc) |
|---|---|
| Product | Mattermost Server (657bc445-594e-5ca1-a676-4f18538f1c02) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-3115 |
vulnerable | 2026-06-03 15:22:13.821117 |
Guest users can view group member IDs without respecting view restrictions
MEDIUM (4.3)
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint.. Mattermost Advisory ID: MMSA-2026-00594
Published: 2026-03-26T16:23:05.887Z
Updated: 2026-03-26T17:51:14.689Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3114 |
vulnerable | 2026-06-03 15:22:13.820660 |
Zip Bomb Denial of Service via Unrestricted Archive Decompression
MEDIUM (6.5)
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory.. Mattermost Advisory ID: MMSA-2026-00598
Published: 2026-03-26T16:21:19.421Z
Updated: 2026-03-26T17:51:14.833Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3113 |
vulnerable | 2026-06-03 15:22:13.820073 |
mmctl export download command doesn’t restrict permissions to created file to file owner
MEDIUM (5)
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to set permissions on downloaded bulk export which allows other local users on the server to be able to read contents of the bulk export.. Mattermost Advisory ID: MMSA-2026-00593
Published: 2026-03-26T16:18:06.693Z
Updated: 2026-03-26T17:51:15.160Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3112 |
vulnerable | 2026-06-03 15:22:13.819461 |
Arbitrary File Read via Advanced Logging Support Packet
MEDIUM (6.8)
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost Advisory ID: MMSA-2025-00562
Published: 2026-03-26T16:29:54.399Z
Updated: 2026-03-26T16:51:15.488Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3108 |
vulnerable | 2026-06-03 15:22:13.811434 |
Terminal Escape Injection in mmctl Report Posts Command
HIGH (8)
Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599
Published: 2026-03-26T16:16:49.790Z
Updated: 2026-03-27T03:55:41.498Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.