Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: mattermostLatest

Found 6 matching suggestions

Permalink CVE-2026-20796
updated 4 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    6 days, 10 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 3 hours ago
  • @LeSuisse accepted 4 days, 3 hours ago
  • @LeSuisse published on GitHub 4 days, 3 hours ago
Time-of-check time-of-use vulnerability in common teams API

Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Permalink CVE-2025-13821
updated 4 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 19 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 4 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 3 hours ago
  • @LeSuisse accepted 4 days, 3 hours ago
  • @LeSuisse published on GitHub 4 days, 3 hours ago
User profile update exposes password hash and MFA secrets

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. Mattermost Advisory ID: MMSA-2025-00560

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Permalink CVE-2025-14573
updated 4 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 19 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 4 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 3 hours ago
  • @LeSuisse accepted 4 days, 3 hours ago
  • @LeSuisse published on GitHub 4 days, 3 hours ago
Team Admin Bypass of Invite Permissions via allow_open_invite Field

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Permalink CVE-2026-1046
updated 4 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 18 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 4 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 3 hours ago
  • @LeSuisse accepted 4 days, 3 hours ago
  • @LeSuisse published on GitHub 4 days, 3 hours ago
Arbitrary application execution via unvalidated server-controlled URLs in Help menu

Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on certain items in the Help menu Mattermost Advisory ID: MMSA-2026-00577

Affected products

Mattermost
  • =<5.2.13
  • ==6.1.0
  • ==5.13.3.0
  • ==6.0.3.0
  • =<6.2.0

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Permalink CVE-2025-14350
updated 4 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 15 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 3 hours ago
  • @LeSuisse removed
    5 maintainers
    • @fsagbuya
    • @Kranzes
    • @numinit
    • @mgdelacroix
    • @ryantm
    4 days, 3 hours ago
  • @LeSuisse accepted 4 days, 3 hours ago
  • @LeSuisse published on GitHub 4 days, 3 hours ago
Information disclosure via channel mentions in posts

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. Mattermost Advisory ID: MMSA-2025-00563

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561
Permalink CVE-2026-0999
updated 4 days, 3 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 4 days, 13 hours ago
  • @LeSuisse removed
    4 packages
    • mattermost-desktop
    • python312Packages.mattermostdriver
    • python313Packages.mattermostdriver
    • python314Packages.mattermostdriver
    4 days, 4 hours ago
  • @LeSuisse removed
    5 maintainers
    • @ryantm
    • @mgdelacroix
    • @numinit
    • @Kranzes
    • @fsagbuya
    4 days, 3 hours ago
  • @LeSuisse accepted 4 days, 3 hours ago
  • @LeSuisse published on GitHub 4 days, 3 hours ago
Authentication bypass via userID login when email and username login are disabled

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate login method restrictions which allows an authenticated user to bypass SSO-only login requirements via userID-based authentication. Mattermost Advisory ID: MMSA-2025-00548

Affected products

Mattermost
  • =<10.11.9
  • ==11.3.0
  • ==11.1.3
  • =<11.1.2
  • ==11.2.2
  • =<11.2.1
  • ==10.11.10

Matching in nixpkgs

Package maintainers

Ignored maintainers (5) 
Fixed in:
* Unstable: https://github.com/NixOS/nixpkgs/pull/480349 / https://github.com/NixOS/nixpkgs/pull/478724
* 25.11: https://github.com/NixOS/nixpkgs/pull/480574 / https://github.com/NixOS/nixpkgs/pull/479561