In Mattermost versions 11.1.x up to and including 11.1.2, 10.11.x up to and including 10.11.9, and 11.2.x up to and including 11.2.1 a medium severity vulnerability CVE-2025-13821 was detected. This vulnerability allows authenticated users to exfiltrate sensitive information, including password hashes and MFA secrets, via profile nickname updates or email verification events due to improper sanitization of sensitive data in WebSocket messages. To address this issue, users should upgrade Mattermost to versions 11.3.0, 11.1.3, 10.11.10 or 11.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13821.
Read more Communication
In PostgreSQL versions 18.0 and 18.1 a high severity vulnerability CVE-2026-2007 was detected. This vulnerability allows a database user to trigger a heap buffer overflow via a crafted input string in the pg_trgm extension, which may lead to privilege escalation or other unintended impacts due to improper memory handling. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-2007.
Read more Database
In Mattermost Jira Plugin versions 11.1.x up to and including 11.1.2, 10.11.x up to and including 10.11.9 and 11.2.x up to and including 11.2.1 a medium severity vulnerability CVE-2026-22892 was detected. This vulnerability allows authenticated attackers with access to the Jira plugin to read post content and attachments from channels they do not have access to by providing the post ID to the /create-issue API endpoint due to insufficient authorization validation. To address this issue, users should upgrade Mattermost Jira Plugin to versions 11.3.0, 11.1.3, 10.11.10 or 11.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22892.
Read more Communication
In Mattermost version 10.11.x up to and including 10.11.9 a low severity vulnerability CVE-2026-20796 was detected. This vulnerability allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint due to improper validation of channel membership at the time of data retrieval. To address this issue, users should upgrade Mattermost to versions 10.11.10 or 11.3.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-20796.
Read more Communication
In Mattermost Desktop App versions up to and including 6.0, 6.2.0 and 5.2.13.0 a high severity vulnerability CVE-2026-1046 was detected. This vulnerability allows a malicious Mattermost server to execute arbitrary executables on a user’s system by exploiting insufficient validation of help links when a user clicks certain items in the Help menu. To address this issue, users should upgrade Mattermost Desktop App to versions 6.1.0, 6.0.3.0 or 5.13.3.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1046.
Read more Communication
In Mattermost versions 11.1.x up to and including 11.1.2, 10.11.x up to and including 10.11.9 and 11.2.x up to and including 11.2.1 a medium severity vulnerability CVE-2026-0999 was detected. This vulnerability allows authenticated users to bypass SSO-only login requirements via userID-based authentication due to improper validation of login method restrictions. To address this issue, users should upgrade Mattermost to versions 11.3.0, 11.1.3, 10.11.10 or 11.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0999.
Read more Communication
In Mattermost versions 11.1.x up to and including 11.1.2, 10.11.x up to and including 10.11.9, 11.2.x up to and including 11.2.1 and Mattermost Plugin Zoom versions up to and including 1.11.0, a high severity vulnerability CVE-2026-0998 was detected. This vulnerability allows attackers to start Zoom meetings as any user and overwrite arbitrary posts via direct API calls with manipulated user IDs and post data due to insufficient validation of user identity and post ownership in the /api/v1/askPMI endpoint. To address this issue, users should upgrade Mattermost and the Mattermost Zoom Plugin to versions 11.3.0, 11.1.3, 10.11.10 or 11.2.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0998.
Read more Communication
In Gogs versions 0.13.4 and prior a high severity vulnerability CVE-2026-25232 was detected. This vulnerability allows authenticated attackers with write permissions to delete protected branches, including the default branch, via a direct POST request to the web interface, bypassing branch protection mechanisms and enabling privilege escalation to perform administrative-level operations. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25232.
Read more Developer Tools
In Gogs versions 0.13.4 and below a high severity vulnerability CVE-2026-25229 was detected. This vulnerability allows authenticated users with write access to one repository to modify labels belonging to other repositories due to improper repository ownership validation in the Web UI label update endpoint. To address this issue, users should upgrade Gogs to version 0.14.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25229.
Read more Developer Tools