更新: 413 个文件 - 2026-03-24 03:45:07

07-framework-security/cms/directus/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `29`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/discourse/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `30`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/drupal/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `70`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/ghost/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `23`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/joomla/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `100`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/mediawiki/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `70`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/moodle/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `40`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/strapi/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `26`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/cms/wordpress/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `140`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/adobe-commerce/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `81`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/magento-open-source/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `89`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/medusa/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `15`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/opencart/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `100`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/openmage/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `27`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/prestashop/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `112`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/saleor/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `24`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/shopware/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `71`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/ecommerce/woocommerce/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `111`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/angular/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `2`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/aspnet-core/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `3`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/astro/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `14`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/django/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `82`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/echo/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `2`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/esbuild/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/express/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/fastify/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/flask/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/gin/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/hapi/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/koa/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/laravel/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `2`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/nestjs/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `2`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/nextjs/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `40`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/nodejs/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `8`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/nuxt/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `28`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/rails/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `42`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/react/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `21`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/spring-boot/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `2`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/spring-framework/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `11`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/spring-security/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `4`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/sveltekit/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `3`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/symfony/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `9`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/undici/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `9`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/vite/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `30`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/vue/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `15`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/webpack/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/frameworks/werkzeug/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `1`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/adminer/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `2`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/gitea/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `13`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/gitlab-ce/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `55`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/grafana/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `60`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/jenkins/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `60`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/kibana/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `47`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/mattermost/INDEX.md

@@ -5,14 +5,14 @@
 - 系统 ID: `mattermost`
 - 分类: `platforms`
 - 覆盖策略: `rolling-24m`
-- 总案例数: `21`
-- 近 30 天新增/更新: `20`
-- 重点 Markdown 案例数: `21`
+- 总案例数: `31`
+- 近 30 天新增/更新: `30`
+- 重点 Markdown 案例数: `31`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
-- 待人工/缺浏览器证据: `21`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 待人工/缺浏览器证据: `31`
+- 最近渲染时间: `2026-03-24T09:18:19+00:00`
 
 ## 目标约束
 
@@ -34,8 +34,18 @@
 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
 | Issue Identifier | `severity` | `generated` | `triage-manual` | `synthetic` | `official` | `Fix Release Date` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-issue-identifier.md) |
-| Mattermost fails to validate user's authentication method when processing account auth type switch | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-19T19:31:20.982512Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-22545.md) |
-| MMSA-2025-00553 | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-16` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-4265.md) |
+| Mattermost fails to validate user's authentication method when processing account auth type switch | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:23.696710Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-22545.md) |
+| Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:08.125706Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2455.md) |
+| Mattermost fails to properly enforce read permissions in search API endpoints | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:55:57.125165Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-24692.md) |
+| Mattermost fails to use consistent error responses when handling the /mute command | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:15.398070Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-21386.md) |
+| Mattermost fails to validate team-specific upload_file permissions | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:04.837800Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-4265.md) |
+| Mattermost allows a removed team member to enumerate all public channels within a private team | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:02.455815Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2458.md) |
+| Mattermost fails to filter invite IDs based on user permissions | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:08.610141Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2463.md) |
+| Mattermost fails to preserve the redacted state of burn-on-read posts during deletion | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:01.583567Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2578.md) |
+| Mattermost fails to properly handle very long passwords | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:03.732922Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-24458.md) |
+| Mattermost allows attackers to spoof permalink embeds | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:18.286997Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2457.md) |
+| Mattermost fails to bound memory allocation when processing DOC files | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:18.467718Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-25780.md) |
+| Mattermost fails to bound memory allocation when processing PSD image files | `low` | `generated` | `triage-manual` | `synthetic` | `ecosystem-authority` | `2026-03-23T18:56:08.918090Z` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-26246.md) |
 | MMSA-2026-00574 | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-16` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-mmsa-2026-00574.md) |
 | MMSA-2026-00603 | `low` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-16` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-mmsa-2026-00603.md) |
 | MMSA-2026-00624 | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-16` | [link](/Users/x/websafe/07-framework-security/platforms/mattermost/cases/mattermost-mmsa-2026-00624.md) |

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-21386.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost fails to use consistent error responses when handling the /mute command"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:46Z"
+updated_date: "2026-03-23T18:56:15.398070Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-21386"
+  - "GO-2026-4744"
+  - "GHSA-5mr9-crcg-8wh2"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa"
+  - "introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260130144323-5bb5261c72fa"
+  - "5.3.2-0.20260130144323-5bb5261c72fa"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-21386"
+---
+
+# Mattermost fails to use consistent error responses when handling the /mute command
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-21386`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-21386
+- 影响版本: `introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa, introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260130144323-5bb5261c72fa, 5.3.2-0.20260130144323-5bb5261c72fa, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-21386, https://github.com/advisories/GHSA-5mr9-crcg-8wh2, https://github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-21386--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-5mr9-crcg-8wh2
+- https://github.com/mattermost/mattermost/commit/5bb5261c72faa476558a694c23581d24b734da41
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260130144323-5bb5261c72fa, introduced=0, fixed<5.3.2-0.20260130144323-5bb5261c72fa, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260130144323-5bb5261c72fa`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-22545.md

@@ -4,7 +4,7 @@ system_id: "mattermost"
 category: "platforms"
 advisory_mode: "core"
 published_date: "2026-03-16T15:30:47Z"
-updated_date: "2026-03-19T19:31:20.982512Z"
+updated_date: "2026-03-23T18:56:23.696710Z"
 severity: "low"
 exploit_status: "unknown"
 source_confidence: "ecosystem-authority"
@@ -21,6 +21,7 @@ authorization_prerequisite: "asset ownership proof or explicit written authoriza
 minimal_validation: "read-only probe, controlled payload, reversible test"
 aliases:
   - "CVE-2026-22545"
+  - "GO-2026-4786"
   - "GHSA-rv67-7w2g-7976"
 affected_versions:
   - "introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988"
@@ -28,12 +29,17 @@ affected_versions:
   - "introduced=10.11.0-rc1, fixed<10.11.11"
   - "introduced=11.2.0-rc1, fixed<11.2.3"
   - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
 fixed_versions:
   - "8.0.0-20260127144908-ced9a56e3988"
   - "5.3.2-0.20260127144908-ced9a56e3988"
   - "10.11.11"
   - "11.2.3"
   - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
 entity_refs:
   - "mattermost:system:root-system"
   - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
@@ -63,8 +69,8 @@ primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-22545"
 - 严重度: `low`
 - 来源置信度: `ecosystem-authority`
 - 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-22545
-- 影响版本: `introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988, introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1`
-- 修复版本: `8.0.0-20260127144908-ced9a56e3988, 5.3.2-0.20260127144908-ced9a56e3988, 10.11.11, 11.2.3, 11.3.1`
+- 影响版本: `introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988, introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260127144908-ced9a56e3988, 5.3.2-0.20260127144908-ced9a56e3988, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
 
 ## 对象与版本映射
 
@@ -73,21 +79,22 @@ primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-22545"
 - Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
 - 版本置信度: `high`
 - 版本缺口: `-`
-- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-22545, https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-22545, https://github.com/advisories/GHSA-rv67-7w2g-7976, https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
 
 ## 受控验证流程
 
 - Workflow ID: `mattermost--CVE-2026-22545--workflow`
-- 漏洞家族: `xss`
-- 入口面: `web-ui-render-path`
-- 需要角色: `editor-or-admin`
-- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
-- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
-- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
-- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
 
 ## 其他来源
 
+- https://github.com/advisories/GHSA-rv67-7w2g-7976
 - https://github.com/mattermost/mattermost/commit/ced9a56e3988fe9fd4559d45f9971dbd562e2218
 - https://github.com/mattermost/mattermost
 - https://mattermost.com/security-updates
@@ -119,7 +126,7 @@ primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-22545"
 - 确认目标版本从 `introduced=0, fixed<8.0.0-20260127144908-ced9a56e3988, introduced=0, fixed<5.3.2-0.20260127144908-ced9a56e3988, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260127144908-ced9a56e3988`。
 - 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
 - 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
-- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
 
 ### 实验安全备注
 

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-24458.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost fails to properly handle very long passwords"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:42Z"
+updated_date: "2026-03-23T18:56:03.732922Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-24458"
+  - "GO-2026-4731"
+  - "GHSA-m5rv-56xx-hfc6"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260129164748-7201f42d955f"
+  - "introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260129164748-7201f42d955f"
+  - "5.3.2-0.20260129164748-7201f42d955f"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-24458"
+---
+
+# Mattermost fails to properly handle very long passwords
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-24458`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-24458
+- 影响版本: `introduced=0, fixed<8.0.0-20260129164748-7201f42d955f, introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260129164748-7201f42d955f, 5.3.2-0.20260129164748-7201f42d955f, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-24458, https://github.com/advisories/GHSA-m5rv-56xx-hfc6, https://github.com/mattermost/mattermost/commit/7201f42d955f1bc44719b862132546626b60a180, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-24458--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-m5rv-56xx-hfc6
+- https://github.com/mattermost/mattermost/commit/7201f42d955f1bc44719b862132546626b60a180
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260129164748-7201f42d955f, introduced=0, fixed<5.3.2-0.20260129164748-7201f42d955f, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260129164748-7201f42d955f`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2455.md

@@ -0,0 +1,187 @@
+---
+title: "Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:47Z"
+updated_date: "2026-03-23T18:56:08.125706Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-2455"
+  - "GO-2026-4746"
+  - "GHSA-gqv7-j2j8-qmwq"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5"
+  - "introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260129133647-5d787969c2d5"
+  - "5.3.2-0.20260129133647-5d787969c2d5"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "ssrf-url-validation"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-2455"
+---
+
+# Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-2455`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-2455
+- 影响版本: `introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5, introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260129133647-5d787969c2d5, 5.3.2-0.20260129133647-5d787969c2d5, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-2455, https://github.com/advisories/GHSA-gqv7-j2j8-qmwq, https://github.com/mattermost/mattermost/commit/5d787969c2d5ab591a9dcd61b0810475eed7a646, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-2455--workflow`
+- 漏洞家族: `ssrf`
+- 入口面: `remote-fetch-or-webhook-endpoint`
+- 需要角色: `editor-or-admin`
+- 触发向量: 对 `ssrf` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/webhook/test, /remote-fetch, /import-url`
+- 输入形态: 提交受控回环或哨兵 URL，验证协议、主机、IP 与重定向限制。
+- 预期不安全行为: 服务端向受控目标发起非预期请求。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-gqv7-j2j8-qmwq
+- https://github.com/mattermost/mattermost/commit/5d787969c2d5ab591a9dcd61b0810475eed7a646
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260129133647-5d787969c2d5, introduced=0, fixed<5.3.2-0.20260129133647-5d787969c2d5, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260129133647-5d787969c2d5`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `ssrf` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/ssrf-url-validation.md)
+- [nodejs:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/nodejs/ssrf-url-validation.md)
+- [java:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/java/ssrf-url-validation.md)
+- [php:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/php/ssrf-url-validation.md)
+- [python:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/python/ssrf-url-validation.md)
+- [ruby:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/ruby/ssrf-url-validation.md)
+- [csharp:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/csharp/ssrf-url-validation.md)
+- [go:ssrf-url-validation](/Users/x/websafe/05-defense/secure-code/go/ssrf-url-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2457.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost allows attackers to spoof permalink embeds"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:42Z"
+updated_date: "2026-03-23T18:56:18.286997Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-2457"
+  - "GO-2026-4732"
+  - "GHSA-ph22-fw5m-w2q9"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8"
+  - "introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260123211116-9efe617be8b8"
+  - "5.3.2-0.20260123211116-9efe617be8b8"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-2457"
+---
+
+# Mattermost allows attackers to spoof permalink embeds
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-2457`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-2457
+- 影响版本: `introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8, introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260123211116-9efe617be8b8, 5.3.2-0.20260123211116-9efe617be8b8, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-2457, https://github.com/advisories/GHSA-ph22-fw5m-w2q9, https://github.com/mattermost/mattermost/commit/9efe617be8b8f1d036e12721e8e73b69a543ed34, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-2457--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-ph22-fw5m-w2q9
+- https://github.com/mattermost/mattermost/commit/9efe617be8b8f1d036e12721e8e73b69a543ed34
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260123211116-9efe617be8b8, introduced=0, fixed<5.3.2-0.20260123211116-9efe617be8b8, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260123211116-9efe617be8b8`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2458.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost allows a removed team member to enumerate all public channels within a private team"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:43Z"
+updated_date: "2026-03-23T18:56:02.455815Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-2458"
+  - "GO-2026-4729"
+  - "GHSA-679f-wmrg-qf57"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32"
+  - "introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260113182106-a18b80ba4c32"
+  - "5.3.2-0.20260113182106-a18b80ba4c32"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-2458"
+---
+
+# Mattermost allows a removed team member to enumerate all public channels within a private team
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-2458`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-2458
+- 影响版本: `introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32, introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260113182106-a18b80ba4c32, 5.3.2-0.20260113182106-a18b80ba4c32, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-2458, https://github.com/advisories/GHSA-679f-wmrg-qf57, https://github.com/mattermost/mattermost/commit/a18b80ba4c324b74b3d47951c33957305af4a099, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-2458--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-679f-wmrg-qf57
+- https://github.com/mattermost/mattermost/commit/a18b80ba4c324b74b3d47951c33957305af4a099
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260113182106-a18b80ba4c32, introduced=0, fixed<5.3.2-0.20260113182106-a18b80ba4c32, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260113182106-a18b80ba4c32`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2463.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost fails to filter invite IDs based on user permissions"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:43Z"
+updated_date: "2026-03-23T18:56:08.610141Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-2463"
+  - "GO-2026-4735"
+  - "GHSA-fx49-m253-27jj"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a"
+  - "introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260105134819-cc427af41b2a"
+  - "5.3.2-0.20260105134819-cc427af41b2a"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-2463"
+---
+
+# Mattermost fails to filter invite IDs based on user permissions
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-2463`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-2463
+- 影响版本: `introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a, introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260105134819-cc427af41b2a, 5.3.2-0.20260105134819-cc427af41b2a, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-2463, https://github.com/advisories/GHSA-fx49-m253-27jj, https://github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-2463--workflow`
+- 漏洞家族: `authz-bypass`
+- 入口面: `privileged-route-or-object-reference`
+- 需要角色: `cross-tenant-or-low-privileged-user`
+- 触发向量: 对 `authz-bypass` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/admin/*, /api/private/*, /tenant/*`
+- 输入形态: 使用低权限身份访问高权限对象或跨租户资源。
+- 预期不安全行为: 低权限身份可访问本不应可见的数据或操作。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-fx49-m253-27jj
+- https://github.com/mattermost/mattermost/commit/cc427af41b2a8d3a552d8dc42978831dcfecc1d8
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260105134819-cc427af41b2a, introduced=0, fixed<5.3.2-0.20260105134819-cc427af41b2a, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260105134819-cc427af41b2a`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `authz-bypass` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-24692.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost fails to properly enforce read permissions in search API endpoints"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:47Z"
+updated_date: "2026-03-23T18:55:57.125165Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-24692"
+  - "GO-2026-4745"
+  - "GHSA-cwfj-642j-gfh4"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045"
+  - "introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260107142155-0481bd1fb045"
+  - "5.3.2-0.20260107142155-0481bd1fb045"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-24692"
+---
+
+# Mattermost fails to properly enforce read permissions in search API endpoints
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-24692`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-24692
+- 影响版本: `introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045, introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260107142155-0481bd1fb045, 5.3.2-0.20260107142155-0481bd1fb045, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-24692, https://github.com/advisories/GHSA-cwfj-642j-gfh4, https://github.com/mattermost/mattermost/commit/0481bd1fb04584db97eca45fd58ebd06c8200df4, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-24692--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-cwfj-642j-gfh4
+- https://github.com/mattermost/mattermost/commit/0481bd1fb04584db97eca45fd58ebd06c8200df4
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260107142155-0481bd1fb045, introduced=0, fixed<5.3.2-0.20260107142155-0481bd1fb045, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260107142155-0481bd1fb045`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-2578.md

@@ -0,0 +1,178 @@
+---
+title: "Mattermost fails to preserve the redacted state of burn-on-read posts during deletion"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:43Z"
+updated_date: "2026-03-23T18:56:01.583567Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-2578"
+  - "GO-2026-4734"
+  - "GHSA-3rhr-jr63-hwq5"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770"
+  - "introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260127062706-c6b205f0d770"
+  - "5.3.2-0.20260127062706-c6b205f0d770"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-2578"
+---
+
+# Mattermost fails to preserve the redacted state of burn-on-read posts during deletion
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-2578`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-2578
+- 影响版本: `introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770, introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260127062706-c6b205f0d770, 5.3.2-0.20260127062706-c6b205f0d770, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-2578, https://github.com/advisories/GHSA-3rhr-jr63-hwq5, https://github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-2578--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-3rhr-jr63-hwq5
+- https://github.com/mattermost/mattermost/commit/c6b205f0d77080ef805783de0628b9526af7faec
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260127062706-c6b205f0d770, introduced=0, fixed<5.3.2-0.20260127062706-c6b205f0d770, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260127062706-c6b205f0d770`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-25780.md

@@ -0,0 +1,187 @@
+---
+title: "Mattermost fails to bound memory allocation when processing DOC files"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:42Z"
+updated_date: "2026-03-23T18:56:18.467718Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-25780"
+  - "GO-2026-4733"
+  - "GHSA-xv2p-wchj-qjhp"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260123215601-86797c508c44"
+  - "introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260123215601-86797c508c44"
+  - "5.3.2-0.20260123215601-86797c508c44"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "file-upload-validation"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-25780"
+---
+
+# Mattermost fails to bound memory allocation when processing DOC files
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-25780`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-25780
+- 影响版本: `introduced=0, fixed<8.0.0-20260123215601-86797c508c44, introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260123215601-86797c508c44, 5.3.2-0.20260123215601-86797c508c44, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-25780, https://github.com/advisories/GHSA-xv2p-wchj-qjhp, https://github.com/mattermost/mattermost/commit/86797c508c444e299b20889ce241fde505a402cc, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-25780--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/advisories/GHSA-xv2p-wchj-qjhp
+- https://github.com/mattermost/mattermost/commit/86797c508c444e299b20889ce241fde505a402cc
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260123215601-86797c508c44, introduced=0, fixed<5.3.2-0.20260123215601-86797c508c44, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260123215601-86797c508c44`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-26246.md

@@ -0,0 +1,186 @@
+---
+title: "Mattermost fails to bound memory allocation when processing PSD image files"
+system_id: "mattermost"
+category: "platforms"
+advisory_mode: "core"
+published_date: "2026-03-16T15:30:42Z"
+updated_date: "2026-03-23T18:56:08.918090Z"
+severity: "low"
+exploit_status: "unknown"
+source_confidence: "ecosystem-authority"
+verification_status: "triage-manual"
+verification_mode: "synthetic"
+artifact_mode: "synthetic"
+last_run_id: ""
+target_types:
+  - "lab-local"
+  - "lab-public"
+  - "authorized-third-party"
+allow_public_validation: "yes, with ownership or explicit authorization"
+authorization_prerequisite: "asset ownership proof or explicit written authorization"
+minimal_validation: "read-only probe, controlled payload, reversible test"
+aliases:
+  - "CVE-2026-26246"
+  - "GO-2026-4727"
+  - "GHSA-44mv-jq72-gj49"
+affected_versions:
+  - "introduced=0, fixed<8.0.0-20260115183946-38b413a27604"
+  - "introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
+fixed_versions:
+  - "8.0.0-20260115183946-38b413a27604"
+  - "5.3.2-0.20260115183946-38b413a27604"
+  - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
+entity_refs:
+  - "mattermost:system:root-system"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
+secure_code_topics:
+  - "authz-server-side-recheck"
+  - "xss-output-encoding"
+  - "token-cookie-storage"
+  - "file-upload-validation"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-26246"
+---
+
+# Mattermost fails to bound memory allocation when processing PSD image files
+
+## 本地实证状态
+
+- 实证状态: `triage-manual`
+- 实证方式: `synthetic`
+- Artifact 模式: `synthetic`
+- 最近运行: `-`
+- 浏览器证据: `missing`
+- Run Bundle: `-`
+
+## 事件层
+
+- Canonical ID: `mattermost--CVE-2026-26246`
+- 系统: `mattermost`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-26246
+- 影响版本: `introduced=0, fixed<8.0.0-20260115183946-38b413a27604, introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260115183946-38b413a27604, 5.3.2-0.20260115183946-38b413a27604, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
+
+## 对象与版本映射
+
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
+- 版本置信度: `high`
+- 版本缺口: `-`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-26246, https://github.com/mattermost/mattermost/commit/38b413a27604e8721fbe008f8ec4b4e6c47ad4f0, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
+
+## 受控验证流程
+
+- Workflow ID: `mattermost--CVE-2026-26246--workflow`
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
+
+## 其他来源
+
+- https://github.com/mattermost/mattermost/commit/38b413a27604e8721fbe008f8ec4b4e6c47ad4f0
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
+
+## 证据点与补丁验证
+
+### 服务端证据点
+
+- 应用日志中的命中路径、鉴权决策和异常栈
+- 反向代理或边界层日志中的请求头、来源 IP 与路由决策
+
+### 浏览器证据点
+
+- 基线截图与攻击后截图的 DOM/视觉差异
+- console、network 与 response metadata 中的异常信号
+
+### 数据库/文件系统证据点
+
+- 数据库中新增/越权读取的测试数据
+- 文件系统中新增上传样本、缓存条目或越权读取痕迹
+
+### 检测信号
+
+- WAF / reverse proxy 异常日志、访问日志和告警
+- 应用审计日志中的权限错误、重定向异常、模板渲染或上传落盘事件
+
+### 补丁验证步骤
+
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260115183946-38b413a27604, introduced=0, fixed<5.3.2-0.20260115183946-38b413a27604, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260115183946-38b413a27604`。
+- 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
+- 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+
+### 实验安全备注
+
+- 只使用回环地址、哨兵目标、无害样本或可回滚测试数据。
+- 禁止造成持久破坏、越权下载真实数据或不可回滚 side effect。
+- 如需浏览器证据，保留 baseline / proof 两份快照以及 console / network 记录。
+
+## 实验层
+
+- 仅用于自有资产、测试环境或已明确授权目标。
+- 允许公网可达目标，但必须满足资产归属或明确授权前提。
+- 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
+- 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
+- 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作
+
+## 修复示例
+
+- [javascript-typescript:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/javascript-typescript/authz-server-side-recheck.md)
+- [nodejs:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/nodejs/authz-server-side-recheck.md)
+- [java:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/java/authz-server-side-recheck.md)
+- [php:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/php/authz-server-side-recheck.md)
+- [python:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/python/authz-server-side-recheck.md)
+- [ruby:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/ruby/authz-server-side-recheck.md)
+- [csharp:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/csharp/authz-server-side-recheck.md)
+- [go:authz-server-side-recheck](/Users/x/websafe/05-defense/secure-code/go/authz-server-side-recheck.md)
+- [javascript-typescript:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/javascript-typescript/xss-output-encoding.md)
+- [nodejs:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/nodejs/xss-output-encoding.md)
+- [java:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/java/xss-output-encoding.md)
+- [php:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/php/xss-output-encoding.md)
+- [python:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/python/xss-output-encoding.md)
+- [ruby:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/ruby/xss-output-encoding.md)
+- [csharp:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/csharp/xss-output-encoding.md)
+- [go:xss-output-encoding](/Users/x/websafe/05-defense/secure-code/go/xss-output-encoding.md)
+- [javascript-typescript:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/javascript-typescript/token-cookie-storage.md)
+- [nodejs:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/nodejs/token-cookie-storage.md)
+- [java:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/java/token-cookie-storage.md)
+- [php:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/php/token-cookie-storage.md)
+- [python:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/python/token-cookie-storage.md)
+- [ruby:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/ruby/token-cookie-storage.md)
+- [csharp:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/csharp/token-cookie-storage.md)
+- [go:token-cookie-storage](/Users/x/websafe/05-defense/secure-code/go/token-cookie-storage.md)
+- [javascript-typescript:file-upload-validation](/Users/x/websafe/05-defense/secure-code/javascript-typescript/file-upload-validation.md)
+- [nodejs:file-upload-validation](/Users/x/websafe/05-defense/secure-code/nodejs/file-upload-validation.md)
+- [java:file-upload-validation](/Users/x/websafe/05-defense/secure-code/java/file-upload-validation.md)
+- [php:file-upload-validation](/Users/x/websafe/05-defense/secure-code/php/file-upload-validation.md)
+- [python:file-upload-validation](/Users/x/websafe/05-defense/secure-code/python/file-upload-validation.md)
+- [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
+- [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
+- [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/mattermost/cases/mattermost-cve-2026-4265.md

@@ -1,13 +1,13 @@
 ---
-title: "MMSA-2025-00553"
+title: "Mattermost fails to validate team-specific upload_file permissions"
 system_id: "mattermost"
 category: "platforms"
 advisory_mode: "core"
-published_date: "2026-03-16"
-updated_date: "2026-03-16"
-severity: "medium"
+published_date: "2026-03-16T15:30:46Z"
+updated_date: "2026-03-23T18:56:04.837800Z"
+severity: "low"
 exploit_status: "unknown"
-source_confidence: "official"
+source_confidence: "ecosystem-authority"
 verification_status: "triage-manual"
 verification_mode: "synthetic"
 artifact_mode: "synthetic"
@@ -20,29 +20,39 @@ allow_public_validation: "yes, with ownership or explicit authorization"
 authorization_prerequisite: "asset ownership proof or explicit written authorization"
 minimal_validation: "read-only probe, controlled payload, reversible test"
 aliases:
-  - "MMSA-2025-00553"
   - "CVE-2026-4265"
+  - "GO-2026-4749"
+  - "GHSA-xpvf-6qcc-9jqc"
 affected_versions:
-  - "11.3.x <= 11.3.0"
-  - "11.2.x <= 11.2.2"
-  - "10.11.x <= 10.11.10"
+  - "introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035"
+  - "introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035"
+  - "introduced=10.11.0-rc1, fixed<10.11.11"
+  - "introduced=11.2.0-rc1, fixed<11.2.3"
+  - "introduced=11.3.0-rc1, fixed<11.3.1"
+  - "introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible"
+  - "introduced=0"
 fixed_versions:
-  - "11.4.0"
-  - "11.3.1"
-  - "11.2.3"
+  - "8.0.0-20260107144005-c7f6efdfb035"
+  - "5.3.2-0.20260107144005-c7f6efdfb035"
   - "10.11.11"
+  - "11.2.3"
+  - "11.3.1"
+  - "10.11.11+incompatible"
+  - "11.2.3+incompatible"
+  - "11.3.1+incompatible"
 entity_refs:
   - "mattermost:system:root-system"
-  - "mattermost--project--mattermost-server:project:affected-component"
+  - "mattermost--repo--github-com-mattermost-mattermost-server:repo:affected-component"
 secure_code_topics:
   - "authz-server-side-recheck"
   - "xss-output-encoding"
   - "token-cookie-storage"
   - "file-upload-validation"
-primary_source: "https://securityupdates.mattermost.com/security_updates.json"
+  - "dependency-upgrade-policy"
+primary_source: "https://nvd.nist.gov/vuln/detail/CVE-2026-4265"
 ---
 
-# MMSA-2025-00553
+# Mattermost fails to validate team-specific upload_file permissions
 
 ## 本地实证状态
 
@@ -57,35 +67,38 @@ primary_source: "https://securityupdates.mattermost.com/security_updates.json"
 
 - Canonical ID: `mattermost--CVE-2026-4265`
 - 系统: `mattermost`
-- 严重度: `medium`
-- 来源置信度: `official`
-- 官方主源: https://securityupdates.mattermost.com/security_updates.json
-- 影响版本: `11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10`
-- 修复版本: `11.4.0, 11.3.1, 11.2.3, 10.11.11`
+- 严重度: `low`
+- 来源置信度: `ecosystem-authority`
+- 官方主源: https://nvd.nist.gov/vuln/detail/CVE-2026-4265
+- 影响版本: `introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035, introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035, introduced=10.11.0-rc1, fixed<10.11.11, introduced=11.2.0-rc1, fixed<11.2.3, introduced=11.3.0-rc1, fixed<11.3.1, introduced=10.11.0-rc1+incompatible, fixed<10.11.11+incompatible, introduced=0`
+- 修复版本: `8.0.0-20260107144005-c7f6efdfb035, 5.3.2-0.20260107144005-c7f6efdfb035, 10.11.11, 11.2.3, 11.3.1, 10.11.11+incompatible, 11.2.3+incompatible, 11.3.1+incompatible`
 
 ## 对象与版本映射
 
-- Advisory Scope: `package`
-- 影响对象: `Mattermost Server`
-- Entity Refs: `mattermost, mattermost--project--mattermost-server`
+- Advisory Scope: `repo`
+- 影响对象: `mattermost / mattermost-server`
+- Entity Refs: `mattermost, mattermost--repo--github-com-mattermost-mattermost-server`
 - 版本置信度: `high`
 - 版本缺口: `-`
-- 版本证据源: `https://securityupdates.mattermost.com/security_updates.json`
+- 版本证据源: `https://nvd.nist.gov/vuln/detail/CVE-2026-4265, https://github.com/advisories/GHSA-xpvf-6qcc-9jqc, https://github.com/mattermost/mattermost/commit/c7f6efdfb035490f494b3177996ee5f4b278c988, https://github.com/mattermost/mattermost, https://mattermost.com/security-updates`
 
 ## 受控验证流程
 
 - Workflow ID: `mattermost--CVE-2026-4265--workflow`
-- 漏洞家族: `xss`
-- 入口面: `web-ui-render-path`
-- 需要角色: `editor-or-admin`
-- 触发向量: 对 `xss` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
-- 请求/页面入口: `/admin/editor, /preview, /rendered-content`
-- 输入形态: 受控 HTML/Markdown/富文本输入，观察渲染上下文是否失去编码或净化。
-- 预期不安全行为: 输入在目标上下文执行或被浏览器解释为主动内容。
+- 漏洞家族: `unknown`
+- 入口面: `repo-surface`
+- 需要角色: `unknown`
+- 触发向量: 对 `unknown` 家族入口投递最小化、可审计、可回滚的受控输入，比较修复前后差异。
+- 请求/页面入口: `/repo`
+- 输入形态: 提交最小化、可审计、可回滚的受控输入。
+- 预期不安全行为: 目标表现出超出设计边界的行为。
 
 ## 其他来源
 
-- 无额外来源
+- https://github.com/advisories/GHSA-xpvf-6qcc-9jqc
+- https://github.com/mattermost/mattermost/commit/c7f6efdfb035490f494b3177996ee5f4b278c988
+- https://github.com/mattermost/mattermost
+- https://mattermost.com/security-updates
 
 ## 证据点与补丁验证
 
@@ -111,10 +124,10 @@ primary_source: "https://securityupdates.mattermost.com/security_updates.json"
 
 ### 补丁验证步骤
 
-- 确认目标版本从 `11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10` 升级或回移到 `11.4.0`。
+- 确认目标版本从 `introduced=0, fixed<8.0.0-20260107144005-c7f6efdfb035, introduced=0, fixed<5.3.2-0.20260107144005-c7f6efdfb035, introduced=10.11.0-rc1, fixed<10.11.11` 升级或回移到 `8.0.0-20260107144005-c7f6efdfb035`。
 - 保留同一组受控输入，在修复前后分别执行并比对响应、日志与浏览器证据。
 - 确认修复后仅保留预期业务行为，不再触发越权、回显、异常渲染或错误请求。
-- 补充 `xss` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
+- 补充 `unknown` 族自动化回归，避免同类路径在插件、主题或代理链中回归。
 
 ### 实验安全备注
 
@@ -164,3 +177,11 @@ primary_source: "https://securityupdates.mattermost.com/security_updates.json"
 - [ruby:file-upload-validation](/Users/x/websafe/05-defense/secure-code/ruby/file-upload-validation.md)
 - [csharp:file-upload-validation](/Users/x/websafe/05-defense/secure-code/csharp/file-upload-validation.md)
 - [go:file-upload-validation](/Users/x/websafe/05-defense/secure-code/go/file-upload-validation.md)
+- [javascript-typescript:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/javascript-typescript/dependency-upgrade-policy.md)
+- [nodejs:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/nodejs/dependency-upgrade-policy.md)
+- [java:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/java/dependency-upgrade-policy.md)
+- [php:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/php/dependency-upgrade-policy.md)
+- [python:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/python/dependency-upgrade-policy.md)
+- [ruby:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/ruby/dependency-upgrade-policy.md)
+- [csharp:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/csharp/dependency-upgrade-policy.md)
+- [go:dependency-upgrade-policy](/Users/x/websafe/05-defense/secure-code/go/dependency-upgrade-policy.md)

07-framework-security/platforms/phpmyadmin/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `50`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/platforms/redmine/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `50`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:19+00:00`
 
 ## 目标约束
 

07-framework-security/servers/apache-httpd/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `135`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/servers/apache-tomcat/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `136`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/servers/caddy/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `29`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/servers/haproxy/INDEX.md

@@ -5,14 +5,14 @@
 - 系统 ID: `haproxy`
 - 分类: `servers`
 - 覆盖策略: `rolling-24m`
-- 总案例数: `6`
+- 总案例数: `7`
 - 近 30 天新增/更新: `0`
 - 重点 Markdown 案例数: `0`
 - 已实证(真实版本): `0`
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
-- 待人工/缺浏览器证据: `6`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 待人工/缺浏览器证据: `7`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 
@@ -33,6 +33,7 @@
 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
 | Omnissa Horizon alternative: how HAProxy solves UDP load balancing | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Wed, 25 Feb 2026 14:00:00 +0000` | - |
+| Announcing HAProxy Unified Gateway 1.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Tue, 24 Mar 2026 00:00:00 +0000` | - |
 | Don't panic: a low-risk strategy for Ingress NGINX retirement | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Thu, 19 Feb 2026 09:00:00 +0000` | - |
 | Announcing HAProxy Fusion 2.0 | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Mon, 16 Mar 2026 08:00:00 +0000` | - |
 | Load balancing VMware Horizon's UDP and TCP traffic: a guide with HAProxy | `unknown` | `triage` | `triage-manual` | `synthetic` | `official` | `Fri, 27 Feb 2026 09:59:00 +0000` | - |

07-framework-security/servers/nginx/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `110`
-- 最近渲染时间: `2026-03-23T09:54:09+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 

07-framework-security/servers/traefik/INDEX.md

@@ -12,7 +12,7 @@
 - 已实证(synthetic): `0`
 - 阻塞数: `0`
 - 待人工/缺浏览器证据: `45`
-- 最近渲染时间: `2026-03-23T09:54:10+00:00`
+- 最近渲染时间: `2026-03-24T09:18:18+00:00`
 
 ## 目标约束
 
@@ -31,8 +31,8 @@
 
 | 标题 | 严重度 | 案例状态 | 实证状态 | 实证方式 | 来源置信度 | 更新时间 | 案例页 |
 |------|--------|----------|----------|----------|------------|----------|--------|
-| Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-20T15:46:26.940872Z` | - |
-| Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-20T15:46:41.715568Z` | - |
+| Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-23T18:56:05.020639Z` | - |
+| Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config | `medium` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-23T18:56:07.286130Z` | - |
 | Traefik: kubernetes gateway rule injection via unescaped backticks in HTTPRoute match values in github.com/traefik/traefik | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-23T04:52:53.505590Z` | - |
 | Traefik: HTTP/2 frames can cause a running server to panic in github.com/traefik/traefik | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-23T04:52:55.119301Z` | - |
 | Traefik has unbounded io.ReadAll on auth server response body that causes OOM DOS in github.com/traefik/traefik | `unknown` | `generated` | `triage-manual` | `synthetic` | `official` | `2026-03-23T04:53:12.392934Z` | - |