Skip to content

Commit f36847b

Browse files
1 parent 21f7b15 commit f36847b

2 files changed

Lines changed: 141 additions & 36 deletions

File tree

Lines changed: 141 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,141 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-wvcv-9xpm-7mqc",
4+
"modified": "2026-06-01T15:13:28Z",
5+
"published": "2026-05-18T09:31:48Z",
6+
"aliases": [
7+
"CVE-2026-28732"
8+
],
9+
"summary": "Mattermost doesn't enforce slash command trigger-word uniqueness during command updates",
10+
"details": "Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/mattermost/mattermost/server/v8"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "11.5.0"
29+
},
30+
{
31+
"fixed": "11.5.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Go",
40+
"name": "github.com/mattermost/mattermost/server/v8"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "10.11.0"
48+
},
49+
{
50+
"fixed": "10.11.14"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Go",
59+
"name": "github.com/mattermost/mattermost/server/v8"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "11.4.0"
67+
},
68+
{
69+
"fixed": "11.4.4"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Go",
78+
"name": "github.com/mattermost/mattermost/server/v8"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "0"
86+
},
87+
{
88+
"fixed": "8.0.0-20260306123948-f5fe8ded6b63"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Go",
97+
"name": "github.com/mattermost/mattermost-server"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "0"
105+
},
106+
{
107+
"fixed": "5.3.2-0.20260306123948-f5fe8ded6b63"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "ADVISORY",
117+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28732"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/mattermost/mattermost/commit/f5fe8ded6b633db7804ae25b42ea12ce635d6ea6"
122+
},
123+
{
124+
"type": "PACKAGE",
125+
"url": "https://github.com/mattermost/mattermost"
126+
},
127+
{
128+
"type": "WEB",
129+
"url": "https://mattermost.com/security-updates"
130+
}
131+
],
132+
"database_specific": {
133+
"cwe_ids": [
134+
"CWE-863"
135+
],
136+
"severity": "MODERATE",
137+
"github_reviewed": true,
138+
"github_reviewed_at": "2026-06-01T15:13:28Z",
139+
"nvd_published_at": "2026-05-18T09:16:22Z"
140+
}
141+
}

advisories/unreviewed/2026/05/GHSA-wvcv-9xpm-7mqc/GHSA-wvcv-9xpm-7mqc.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

0 commit comments

Comments
 (0)