CVEFinder.io

CVE-2026-4858

âš ī¸ high
🔍 Scan for this CVE
Summary

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640

CVSS Score
8.0
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 77.4% of all 330,193 vulnerabilities in our database.

#74,496
Top 25% most severe
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: May 21, 2026
🔍 Exploitation Status
None
No known exploits
âš™ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
daw10
SSVC data provided by CISA
Last Modified 2026-05-21
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)

đŸ“Ļ Affected Products 4

🔗 References 1

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-5139 đŸ”ļ medium 5.4 0.2 Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administra... 2026-06-22
CVE-2026-6062 đŸ”ļ medium 6.4 0.2 Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 Fail to validate channel o... 2026-06-22
CVE-2026-6673 đŸ”ļ medium 6.4 0.2 Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to authenticate Atlas... 2026-06-22
CVE-2026-8074 â„šī¸ low 3.8 0.2 Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to enforce bot-specific permission checks on the user act... 2026-06-22
CVE-2026-9162 đŸ”ļ medium 4.3 0.2 Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to invalidate cached ... 2026-06-22
CVE-2026-8823 â„šī¸ low 3.8 0.2 Mattermost versions 11.7.x <= 11.7.0, 10.11.x <= 10.11.17 fail to validate bot targets when demoting users to guests whi... 2026-06-22
These CVEs affect the same products