GHSA-rmvv-8v8w-rf7xMediumCVSS 4.3
Mattermost doesn't validate user-supplied input in API request handlers
🔗 CVE IDs covered (1)
📋 Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint. Mattermost Advisory ID: MMSA-2026-00638
🎯 Affected products5
- go/github.com/mattermost/mattermost-server:= 11.6.0
- go/github.com/mattermost/mattermost-server:>= 11.5.0, < 11.5.4
- go/github.com/mattermost/mattermost-server:>= 11.4.0, < 11.4.5
- go/github.com/mattermost/mattermost-server:>= 10.11.0, < 10.11.15
- go/github.com/mattermost/mattermost-plugin-github:< 1.0.1-0.20260330164815-c2840e980b3c