Rocket.Chat - 7 CVEs (Page 1/1)

About “Rocket.Chat”

A curated feed of “Rocket.Chat”-related CVEs appears below. We currently track 7 CVEs for this tag (all time). In the last 365 days, 1 were published. Average CVSS is 5.0 (all time; 4.3 over 365d), and 0% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-400 - Uncontrolled Resource Consumption.

In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: rocket-chat

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	Premier Support	EOL	LTS
8.4	2026-04-30	8.4.3	2026-04-30	2026-10-31 Soon
8.3	2026-04-07	8.3.5	2026-04-07	2026-10-31 Soon
8.2	2026-03-02	8.2.5	2026-03-02	2026-09-30 Soon
8.1	2026-02-10	8.1.5	2026-02-10	2026-08-31 Soon
8.0	2026-01-12	8.0.6	2026-01-12	2026-06-30 Soon
7.13	2025-12-05	7.13.8	2025-12-05	2026-05-31 Expired
7.12	2025-10-31	7.12.7	2025-10-31	2026-04-30 Expired
7.11	2025-10-17	7.11.7	2025-10-17	2026-03-31 Expired
7.10	2025-09-04	7.10.12	2025-09-04	2026-06-30 Soon	LTS
7.9	2025-07-29	7.9.8	2025-07-29	2026-01-31 Expired
7.8	2025-07-08	7.8.6	2025-07-08	2026-01-31 Expired
7.7	2025-05-31	7.7.9	2025-05-31	2025-11-30 Expired
7.6	2025-05-13	7.6.6	2025-05-13	2025-11-30 Expired
7.5	2025-04-07	7.5.5	2025-04-07	2025-10-31 Expired
7.4	2025-03-05	7.4.6	2025-03-05	2025-08-31 Expired
7.3	2025-01-31	7.3.6	2025-01-31	2025-07-31 Expired
7.2	2025-01-07	7.2.6	2025-01-07	2025-07-31 Expired
7.1	2024-12-04	7.1.6	2024-12-04	2025-06-30 Expired
7.0	2024-10-31	7.0.9	2024-10-31	2025-04-30 Expired
6.13	2024-10-10	6.13.1	2024-10-10	2025-04-30 Expired
6.12	2024-09-05	6.12.3	2024-09-05	2025-03-31 Expired
6.11	2024-08-09	6.11.3	2024-08-09	2025-02-28 Expired
6.10	2024-07-10	6.10.10	2024-07-10	2025-01-31 Expired
6.9	2024-06-02	6.9.7	2024-06-02	2024-12-31 Expired
6.8	2024-05-12	6.8.7	2024-06-12	2024-11-30 Expired
6.7	2024-04-08	6.7.9	2024-05-12	2024-10-31 Expired
6.6	2024-02-07	6.6.13	2024-04-08	2024-08-31 Expired
6.5	2023-12-01	6.5.9	2024-02-07	2024-06-30 Expired
6.4	2023-09-27	6.4.9	2023-12-01	2024-03-31 Expired
6.3	2023-08-02	6.3.13	2023-09-27	2024-02-29 Expired
6.2	2023-05-15	6.2.12	2023-08-02	2023-11-30 Expired
6.1	2023-03-29	6.1.8	2023-05-15	2023-09-30 Expired
6.0	2023-03-09	6.0.8	2023-03-29	2023-09-30 Expired
5.4	2022-12-05	5.4.10	2023-03-09	2023-06-30 Expired	LTS
5.3	2022-11-01	5.3.7	2022-12-05	2023-05-31 Expired
5.2	2022-10-13	5.2.2	2022-11-01	2023-04-30 Expired
5.1	2022-09-02	5.1.5	2022-10-13	2023-03-31 Expired
5.0	2022-07-21	5.0.8	2022-09-02	2023-01-31 Expired
4.8	2022-05-31	4.8.7	2022-07-21	2022-12-31 Expired	LTS
4.7	2022-05-04	4.7.5	2022-05-31	2022-11-30 Expired
4.6	2022-04-01	4.6.4	2022-05-04	2022-10-31 Expired
4.5	2022-02-28	4.5.7	2022-04-01	2022-09-30 Expired
4.4	2022-01-28	4.4.5	2022-02-28	2022-07-31 Expired
4.3	2021-12-28	4.3.3	2022-01-28	2022-06-30 Expired
4.2	2021-11-30	4.2.4	2021-12-28	2022-05-31 Expired
4.1	2021-10-28	4.1.6	2021-11-30	2022-04-30 Expired
4.0	2021-10-01	4.0.6	2021-10-28	2022-04-30 Expired
3.18	2021-08-31	3.18.7	2021-10-01	2022-02-28 Expired	LTS
3.17	2021-07-30	3.17.3	2021-08-31	2022-01-31 Expired
3.16	2021-06-28	3.16.5	2021-07-30	2021-12-31 Expired
3.15	2021-05-28	3.15.4	2021-06-28	2021-11-30 Expired
3.14	2021-04-28	3.14.6	2021-05-28	2021-10-31 Expired
3.13	2021-04-04	3.13.5	2021-04-28	2021-10-31 Expired
3.12	2021-02-28	3.12.7	2021-04-04	2021-08-31 Expired
3.11	2021-01-31	3.11.6	2021-02-28	2021-08-31 Expired
3.10	2020-12-29	3.10.7	2021-01-31	2021-06-30 Expired
3.9	2020-11-28	3.9.7	2020-12-29	2021-05-31 Expired
3.8	2020-11-14	3.8.9	2020-11-28	2021-05-31 Expired
3.7	2020-09-28	3.7.4	2020-11-14	2021-03-31 Expired
3.6	2020-08-29	3.6.3	2020-09-28	2021-02-28 Expired
3.5	2020-07-27	3.5.4	2020-08-29	2021-01-31 Expired
3.4	2020-06-30	3.4.3	2020-07-27	2020-12-31 Expired
3.3	2020-05-27	3.3.3	2020-06-30	2020-11-30 Expired
3.2	2020-04-27	3.2.2	2020-05-27	2020-10-31 Expired
3.1	2020-04-09	3.1.3	2020-04-27	2020-10-31 Expired
3.0	2020-02-14	3.0.13	2020-04-09	2020-08-31 Expired
2.4	2019-12-27	2.4.14	2020-02-14	2020-06-30 Expired	LTS
2.3	2019-11-27	2.3.3	2019-12-27	2020-05-31 Expired
2.2	2019-10-27	2.2.1	2019-11-27	2020-04-30 Expired
2.1	2019-09-27	2.1.3	2019-10-27	2020-03-31 Expired
2.0	2019-09-12	2.0.1	2019-09-27	2020-03-31 Expired
1.3	2019-08-02	1.3.5	2019-09-12	2020-02-29 Expired	LTS
1.2	2019-06-27	1.2.4	2019-08-02	2019-12-31 Expired
1.1	2019-05-27	1.1.5	2019-06-27	2019-11-30 Expired
1.0	2019-04-28	1.0.5	2019-05-27	2019-10-31 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “Rocket.Chat”

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2025-06-09

Medium

CVE-2025-5892

A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/pa…

CVSS: 4.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD

2022-06-30

Medium

CVE-2022-34802

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by use…

CVSS: 4.3 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD

2022-04-01

Medium

CVE-2022-21830

A blind self XSS vulnerability exists in RocketChat LiveChat <v1.9 that could allow an attacker to trick a victim pasting malicious code in their chat instance.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

2022-03-29

Medium

CVE-2022-28139

A missing permission check in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified cred…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD

Medium

CVE-2022-28138

A cross-site request forgery (CSRF) vulnerability in Jenkins RocketChat Notifier Plugin 1.4.10 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credential.

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD

2018-07-11

Medium

CVE-2018-13879

A reflected XSS issue was discovered in the registration form in Rocket.Chat before 0.66. When one creates an account, the next step will ask for a username. This field will not save HTML control cha…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD

Medium

CVE-2018-13878

An XSS issue was discovered in packages/rocketchat-mentions/Mentions.js in Rocket.Chat before 0.65. The real name of a username is displayed unescaped when the user is mentioned (using the @ symbol)…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD