Mattermost Server is vulnerable to XSS through author_link field in Slack attachments

GHSA-498j-wxww-j897 · CVE-2017-18879 · GO-2025-4189

Published May 24, 2022 · Modified Dec 9, 2025

Description

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment.

Ready to move

Free, no credit card | First findings in minutes