CVE Tools

rocket.chat

CommunicationsILcommercial

31

Cumulative CVEs

4

Monthly snapshots

#49

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting rocket.chat.

CVE-2026-48616Rocket.Chat versions <8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authori...9.3Jun 16, 2026
CVE-2026-48929Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes...7.5Jun 16, 2026
CVE-2026-32995The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it d...7.5May 28, 2026
CVE-2026-32994The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of a...5.3May 19, 2026
CVE-2026-29197In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowi...4.3Apr 23, 2026
CVE-2026-29198In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an ...9.8Apr 22, 2026
CVE-2026-22560An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.5.3Apr 10, 2026
CVE-2026-23477Rocket.Chat Unauthorized Access to OAuth App Details7.7Jan 14, 2026
CVE-2025-7974rocket.chat Incorrect Authorization Information Disclosure Vulnerability7.5Sep 2, 2025
CVE-2024-8270macOS Rocket.Chat: TCC Policy Bypass via Dylib Injection Due to Missing Code Signing Flags and Dangerous Entitlements5.5Jun 10, 2025
CVE-2025-5892RocketChat parseMessage.js parseMessage redos4.3Jun 9, 2025
CVE-2024-42027The E2EE password entropy generated by Rocket.Chat Mobile prior to version 4.5.1 is insufficient, allowing attackers to crack it if they have the appropriate time and resources.6.7Oct 7, 2024
CVE-2024-47048Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps.5.4Sep 24, 2024
CVE-2024-46935Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to a...7.5Sep 24, 2024
CVE-2024-46934Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message...6.1Sep 24, 2024