rocket.chat · threatengine.sh

CVE-2026-29197

>= 7.10.0 and < 7.10.10

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api

4.3MEDIUM

CVE-2026-29198

< 7.10.9

In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to

9.8CRITICAL

CVE-2026-22560

< 8.4.0

An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulat

5.3MEDIUM

CVE-2026-30833

< 7.10.8

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.

5.3MEDIUM

CVE-2026-30831

< 7.10.8

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.

9.8CRITICAL

CVE-2026-28514

< 7.8.6

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.8.6, 7.9.8, 7.10.7, 7.11.4,

9.8CRITICAL

CVE-2026-23477

< 6.12.0

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API e

7.7HIGH

CVE-2025-7974

>= 7.4.0 and < 7.4.4

rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose s

7.5HIGH

CVE-2025-5892

<= 7.6.1

A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function pa

4.3MEDIUM

CVE-2024-47048

< 6.7.9

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the

5.4MEDIUM

CVE-2024-46935

< 6.7.9

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft

7.5HIGH

CVE-2024-46934

< 6.7.9

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attack

6.1MEDIUM

CVE-2024-45621

<= 6.3.4

The Electron desktop application of Rocket.Chat through 6.3.4 allows stored XSS via links in an uploaded file, related to failure

5.4MEDIUM

CVE-2024-39713

< 6.10.1

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.

8.6HIGH

CVE-2023-28359

< 6.0.0

A NoSQL injection vulnerability has been identified in the listEmojiCustom method call within Rocket.Chat. This can be exploited b

5.3MEDIUM

CVE-2023-28358

< 6.0.0

A vulnerability has been discovered in Rocket.Chat where a markdown parsing issue in the "Search Messages" feature allows the inse

6.1MEDIUM

CVE-2023-28357

< 6.0.0

A vulnerability has been identified in Rocket.Chat, where the ACL checks in the Slash Command /mute occur after checking whether a

4.3MEDIUM

CVE-2023-28356

< 6.0.0

A vulnerability has been identified where a maliciously crafted message containing a specific chain of characters can cause the ch

7.5HIGH

CVE-2023-28325

< 6.0.0

An improper authorization vulnerability exists in Rocket.Chat <6.0 that could allow a hacker to manipulate the rid parameter and c

6.5MEDIUM

CVE-2023-28318

all versions

A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the Message_KeepHistory or Message_

5.3MEDIUM

CVE-2023-28317

all versions

A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to di

5.3MEDIUM

CVE-2023-28316

all versions

A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions

9.8CRITICAL

CVE-2023-23911

< 6.0.0

An improper access control vulnerability exists prior to v6 that could allow an attacker to break the E2E encryption of a chat roo

7.5HIGH

CVE-2023-23917

< 5.2.0

A prototype pollution vulnerability exists in Rocket.Chat server <5.2.0 that could allow an attacker to a RCE under the admin acco

8.8HIGH

CVE-2022-44567

< 3.8.14

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of op

9.8CRITICAL

CVE-2022-35251

< 5.0

A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is

5.4MEDIUM

CVE-2022-35250

< 5.0

A privilege escalation vulnerability exists in Rocket.chat <v5 which made it possible to elevate privileges for any authenticated

4.3MEDIUM

CVE-2022-35249

< 5.0

A information disclosure vulnerability exists in Rocket.Chat <v5 where the getUserMentionsByChannel meteor server method discloses

4.3MEDIUM

CVE-2022-35248

< 4.7.5

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentication can

8.8HIGH

CVE-2022-35247

< 4.7.5

A information disclosure vulnerability exists in Rocket.chat <v5, <v4.8.2 and <v4.7.5 where the lack of ACL checks in the getRoomR

4.3MEDIUM

CVE-2022-35246

< 4.7.5

A NoSQL-Injection information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 in the getS3Fi

4.3MEDIUM

CVE-2022-32229

< 5.0

A information disclosure vulnerability exists in Rockert.Chat <v5 due to /api/v1/chat.getThreadsList lack of sanitization of user

4.3MEDIUM

CVE-2022-32228

< 4.7.5

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 since the getReadReceipts Meteor server met

4.3MEDIUM

CVE-2022-32227

< 4.7.5

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth tokens by havin

6.5MEDIUM

CVE-2022-32226

< 4.7.5

An improper access control vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to input data in the getUsersOfRoom Me

4.3MEDIUM

CVE-2022-32220

< 5.0

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method disclos

6.5MEDIUM

CVE-2022-32219

< 4.7.5

An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query pa

4.3MEDIUM

CVE-2022-32218

< 4.7.5

An information disclosure vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 due to the actionLinkHandler method was fou

4.3MEDIUM

CVE-2022-32217

< 4.6.4

A cleartext storage of sensitive information exists in Rocket.Chat <v4.6.4 due to Oauth token being leaked in plaintext in Rocket.

5.3MEDIUM

CVE-2022-32211

< 3.18.6

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retrieve a reset

8.8HIGH

CVE-2022-30124

< 4.14.1.22788

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with physical acc

6.8MEDIUM

CVE-2022-21830

< 1.9.0

A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting maliciou

6.1MEDIUM

CVE-2020-8291

< 3.9.0

A link preview rendering issue in Rocket.Chat versions before 3.9 could lead to potential XSS attacks.

6.1MEDIUM

CVE-2021-32832

< 3.11.3

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. In Rocket.Chat before versions 3

4.3MEDIUM

CVE-2021-22910

< 3.11.4

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an endpoint w

9.8CRITICAL

CVE-2020-26763

all versions

The Rocket.Chat desktop application 2.17.11 opens external links without user interaction.

7.5HIGH

CVE-2021-22911

all versions

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQ

9.8CRITICAL

CVE-2021-22892

< 3.11.3

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email address

7.5HIGH

CVE-2021-22886

< 3.8.8

Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting (XSS) using nested markdown tags al

6.1MEDIUM

CVE-2020-8292

< 3.9.0

Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality

5.4MEDIUM

CVE-2020-8288

< 3.9.2

The specializedRendering function in Rocket.Chat server before 3.9.2 allows a cross-site scripting (XSS) vulnerability by way of

5.4MEDIUM

CVE-2020-28208

<= 3.9.1

An email address enumeration vulnerability exists in the password reset function of Rocket.Chat through 3.9.1.

5.3MEDIUM

CVE-2020-29594

< 0.74.4

Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 misha

9.8CRITICAL

CVE-2020-15926

<= 3.4.2

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct message to

6.1MEDIUM

CVE-2019-17220

< 2.1.0

Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line.

6.1MEDIUM

CVE-2018-13879

< 0.66

A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next st

5.4MEDIUM

CVE-2018-13878

< 0.65

An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is

6.1MEDIUM

CVE-2017-1000493

<= 0.59

Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL injection leading to administrator account takeover

9.8CRITICAL

CVE-2017-1000054

all versions

Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdown link parsing code for messages.

6.1MEDIUM