4.3
CVE-2026-2458 - Unauthorized channel enumeration in private teams after member removal
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly validate team membership when searching channels which allows a removed team member to enumerate all public channels within a private team via the channel search API endpoint.. Mattermost Advisory ID: MMSA-β¦
4.3
CVE-2026-2457 - WebSocket Message Spoofing via Permalink Embed Manipulation
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID: MMβ¦
4.3
CVE-2026-2461 - Missing authorization check allows unauthorized modification of other users' comments on a board
Mattermost Plugins versions <=11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559
4.3
CVE-2026-2463 - Unauthorized access to invite ID during team creation
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to filter invite IDs based on user permissions, which allows regular users to bypass access control restrictions and register unauthorized accounts via leaked invite IDs during team creation.. Mattermost Advisory ID: Mβ¦
7.6
CVE-2026-2476 - MS Teams plugin sensitive config values not properly masked in support packets
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
5.3
CVE-2026-2456 - Denial of Service via Unbounded Memory Allocation in Integration Actions
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returβ¦
6.9
CVE-2026-4235 - itsourcecode Online Enrollment System login.php sql injection
A weakness has been identified in itsourcecode Online Enrollment System 1.0. This issue affects some unknown processing of the file /sms/login.php. This manipulation of the argument user_email causes sql injection. The attack is possible to be carried out remotely. The exploit has been made availabβ¦
6
CVE-2025-15554 - Admin Passwords Cached by Browsers in Truesec LAPSWebUI
Browser caching of LAPS passwords in Truesecβs LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.
6
CVE-2025-15553 - Insecure Logout Functionality in Truesec LAPSWebUI
Non-working logout functionality in Truesecβs LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
6
CVE-2025-15552 - Long Session Lifetime in Truesec LAPSWebUI
Insufficient Session Expiration in Truesecβs LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.