matrix-org

Top products

The 15 most recently published vulnerabilities affecting matrix-org.

• CVE-2025-48937matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator4.9Jun 10, 2025
• CVE-2025-27155In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim6.1Mar 4, 2025
• CVE-2025-27146Matrix IRC Bridge allows IRC command injection to own puppeted user2.7Feb 25, 2025
• CVE-2025-23197matrix-hookshot has a Potential Denial of Service when Hookshot is configured with GitHub support6.5Jan 27, 2025
• CVE-2025-24024Mjolnir v1.9.0 accepts commands from any room9.1Jan 21, 2025
• CVE-2024-52594Server-Side Request Forgery (SSRF) on redirects and federation in gomatrixserverlib4.3Jan 16, 2025
• CVE-2024-52813matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity4.3Jan 7, 2025
• CVE-2024-52505matrix-appservice-irc allows IRC Command injection in provisioning API5.4Nov 14, 2024
• CVE-2024-47824Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room5.3Oct 15, 2024
• CVE-2024-47080matrix-js-sdk keys sent via `sendSharedHistoryKeys` vulnerable to interception by malicious homeserver5.3Oct 15, 2024
• CVE-2024-42369A room with itself as a its predecessor will freeze matrix-js-sdk4.1Aug 20, 2024
• CVE-2024-42347URL preview setting for a room is controllable by the homeserver in matrix-react-sdk7.7Aug 6, 2024
• CVE-2024-40648`UserIdentity::is_verified` not checking verification status of own user identity while performing the check in matrix-rust-sdk5.4Jul 18, 2024
• CVE-2024-40640Usage of non-constant time base64 decoder could lead to leakage of secret key material in vodozemac2.9Jul 17, 2024
• CVE-2024-39691Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to4.3Jul 5, 2024