Mattermost doesn't sanitize team member data when returned via API to users without elevated permissions in github.com/mattermost/mattermost-server
{ "url": "https://pkg.go.dev/vuln/GO-2026-5818", "review_status": "UNREVIEWED" }
"https://vuln.go.dev/ID/GO-2026-5818.json"