MEDIUM 4.3
GHSA-rmvv-8v8w-rf7x
Mattermost doesn't validate user-supplied input in API request handlers
Details
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint. Mattermost Advisory ID: MMSA-2026-00638
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/mattermost/mattermost-server
Introduced in:
11.6.0 Fixed in: 11.6.1 Fix
go get github.com/mattermost/mattermost-server@v11.6.1 Go / github.com/mattermost/mattermost-server
Introduced in:
11.5.0 Fixed in: 11.5.4 Fix
go get github.com/mattermost/mattermost-server@v11.5.4 Go / github.com/mattermost/mattermost-server
Introduced in:
11.4.0 Fixed in: 11.4.5 Fix
go get github.com/mattermost/mattermost-server@v11.4.5 Go / github.com/mattermost/mattermost-server
Introduced in:
10.11.0 Fixed in: 10.11.15 Fix
go get github.com/mattermost/mattermost-server@v10.11.15 Go / github.com/mattermost/mattermost-plugin-github
Introduced in:
0 Fixed in: 1.0.1-0.20260330164815-c2840e980b3c Fix
go get github.com/mattermost/mattermost-plugin-github@v1.0.1-0.20260330164815-c2840e980b3c