Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: python313Packages.mattermostdriver

Found 21 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-2457
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 17 hours ago
WebSocket Message Spoofing via Permalink Embed Manipulation

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMSA-2025-00569

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-26246
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 days, 17 hours ago
Memory Exhaustion via Malformed PSD File Upload

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing PSD image files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted PSD file. Mattermost Advisory ID: MMSA-2026-00572

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-26230
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 17 hours ago
Team Admin Privilege Escalation to Demote Members to Guest

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531

References

Affected products

Mattermost
  • =<10.11.10
  • ==10.11.11
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2455
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 17 hours ago
SSRF bypass via IPv4-mapped IPv6 literals

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation which allows an attacker to perform SSRF attacks against internal services via IPv4-mapped IPv6 literals (e.g., [::ffff:127.0.0.1]).. Mattermost Advisory ID: MMSA-2026-00585

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2458
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 17 hours ago
Unauthorized channel enumeration in private teams after member removal

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-2025-00568

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-22545
3.1 LOW
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 17 hours ago
Password Change Bypass via Auth Switch Endpoint

Mattermost versions 10.11.x <= 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID: MMSA-2026-00583

References

Affected products

Mattermost
  • =<10.11.10
  • ==10.11.11
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-25780
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 days, 17 hours ago
Memory Exhaustion via Malformed DOC File Upload

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to bound memory allocation when processing DOC files which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted DOC file.. Mattermost Advisory ID: MMSA-2026-00581

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-4265
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 days, 17 hours ago
Guest user can upload files without permission across teams

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to validate team-specific upload_file permissions which allows a guest user to post files in channels where they lack upload_file permission via uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team. Mattermost Advisory ID: MMSA-2025-00553

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-2578
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 17 hours ago
Information Disclosure via WebSocket Event When Deleting Unrevealed Burn on Read Posts

Mattermost versions 11.3.x <= 11.3.0 fail to preserve the redacted state of burn-on-read posts during deletion which allows channel members to access unrevealed burn-on-read message contents via the WebSocket post deletion event.. Mattermost Advisory ID: MMSA-2026-00579

References

Affected products

Mattermost
  • ==11.3.1
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-24692
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 days, 17 hours ago
Guest users can bypass read permissions via search API

Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554

References

Affected products

Mattermost
  • =<11.2.2
  • ==11.3.1
  • ==10.11.11
  • =<10.11.10
  • ==11.2.3
  • =<11.3.0
  • ==11.4.0

Matching in nixpkgs

Package maintainers