{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","type":"golang","namespace":"github.com/mattermost/mattermost/server","name":"v8","version":"9.5.7","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"9.5.8","latest_non_vulnerable_version":"11.5.2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57183?format=json","vulnerability_id":"VCID-31aj-h54r-z7a5","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled,  which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41144","reference_id":"","reference_type":"","scores":[{"value":"0.00092","scoring_system":"epss","scoring_elements":"0.25826","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41144"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41144","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41144"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3023","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3023"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L"},{"value":"7.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-05T16:57:35Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372664?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240619142046-8181a9ddffc0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240619142046-8181a9ddffc0"},{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372629?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-41144","GHSA-vg67-chm7-8m3j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-31aj-h54r-z7a5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57318?format=json","vulnerability_id":"VCID-3mh1-4b13-zka9","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41162","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.3418","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41162"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41162","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41162"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3031","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3031"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-02T14:45:25Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372642?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240628125750-70b218839fa7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240628125750-70b218839fa7"},{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372629?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-41162","GHSA-jr9x-3x7m-4j75"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3mh1-4b13-zka9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46886?format=json","vulnerability_id":"VCID-cdt4-nz3s-43bv","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39839","reference_id":"","reference_type":"","scores":[{"value":"0.00217","scoring_system":"epss","scoring_elements":"0.4438","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39839"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39839","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39839"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3024","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3024"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T18:04:29Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372629?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-39839","GHSA-vg6q-84p8-qvqh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cdt4-nz3s-43bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46723?format=json","vulnerability_id":"VCID-g46g-dzk8-7kc7","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39832","reference_id":"","reference_type":"","scores":[{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49874","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39832"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39832","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39832"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3020","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3020"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H"},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-07T14:09:09Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372629?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-39832","GHSA-762m-4cx6-6mf4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g46g-dzk8-7kc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57188?format=json","vulnerability_id":"VCID-gf5y-7stz-5fbm","summary":"Mattermost versions 9.9.x <= 9.9.0 and 9.5.x <= 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41926","reference_id":"","reference_type":"","scores":[{"value":"0.00162","scoring_system":"epss","scoring_elements":"0.36946","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-41926"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://github.com/mattermost/mattermost/commit/5114c3b7cdb84086959bf0ef8bc5afdaedf9fef6","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost/commit/5114c3b7cdb84086959bf0ef8bc5afdaedf9fef6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41926","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41926"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3022","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3022"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:31:59Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372647?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240604093018-5114c3b7cdb8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240604093018-5114c3b7cdb8"},{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-41926","GHSA-9fpw-c9x7-cv3j"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gf5y-7stz-5fbm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46411?format=json","vulnerability_id":"VCID-gs7a-bcps-3yge","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39837","reference_id":"","reference_type":"","scores":[{"value":"0.00297","scoring_system":"epss","scoring_elements":"0.53513","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39837"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39837","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39837"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3032","reference_id":"","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3032"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"3.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T20:47:43Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372632?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240626164322-c758cecaf30c","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@8.0.0-20240626164322-c758cecaf30c"},{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-39837","GHSA-vvpg-55p7-5h8w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gs7a-bcps-3yge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46871?format=json","vulnerability_id":"VCID-jj74-m9xz-cfcr","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to properly validate that the channel that comes from the sync message is a shared channel, when shared channels are enabled, which allows a malicious remote to add users to arbitrary teams and channels","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39274","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42336","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39274"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39274","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39274"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3028","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3028"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-02T14:46:09Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372629?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-39274","GHSA-cmc8-222c-vqp9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jj74-m9xz-cfcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47987?format=json","vulnerability_id":"VCID-kf2k-v6yx-x7bx","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29977","reference_id":"","reference_type":"","scores":[{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.3608","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29977"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29977","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29977"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3030","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3030"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-01T14:34:53Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-29977","GHSA-jq3g-xqpx-37x3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kf2k-v6yx-x7bx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42018?format=json","vulnerability_id":"VCID-qe6t-ewky-x7bv","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36492","reference_id":"","reference_type":"","scores":[{"value":"0.00207","scoring_system":"epss","scoring_elements":"0.43192","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-36492"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36492","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36492"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-3025","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pkg.go.dev/vuln/GO-2024-3025"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-05T16:56:57Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372629?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-36492","GHSA-56mc-f9w7-2wxq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qe6t-ewky-x7bv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46813?format=json","vulnerability_id":"VCID-zaqv-4ype-5kgc","summary":"Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local channel will then become shared without the consent of the local admin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39777","reference_id":"","reference_type":"","scores":[{"value":"0.00284","scoring_system":"epss","scoring_elements":"0.52085","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39777"},{"reference_url":"https://github.com/mattermost/mattermost","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mattermost/mattermost"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39777","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39777"},{"reference_url":"https://mattermost.com/security-updates","reference_id":"security-updates","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-01T14:33:32Z/"}],"url":"https://mattermost.com/security-updates"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372627?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/372628?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.7.6"},{"url":"http://public2.vulnerablecode.io/api/packages/372667?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/372631?format=json","purl":"pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.9.1"}],"aliases":["CVE-2024-39777","GHSA-q22q-2rrf-m27p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zaqv-4ype-5kgc"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:golang/github.com/mattermost/mattermost/server/v8@9.5.7"}