Mattermost doesn't escape some variables that could contain malicious content during error page composition

GHSA-jx93-pf6x-874r · CVE-2026-3495

Published May 18, 2026 · Modified Jun 1, 2026

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-3495
WEB https://github.com/mattermost/mattermost/commit/5a1ea95044dc2d1ca601bfe9a4c1bc17990f3872
PACKAGE https://github.com/mattermost/mattermost
WEB https://mattermost.com/security-updates

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes