CVE-2026-20719

Summary

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.4.0 <= 11.4.0affected
MattermostMattermost11.3.0 <= 11.3.1affected
MattermostMattermost11.2.0 <= 11.2.3affected
MattermostMattermost10.11.0 <= 10.11.11affected
MattermostMattermost11.5.0unaffected
MattermostMattermost11.4.1unaffected
MattermostMattermost11.3.2unaffected
MattermostMattermost11.2.4unaffected
MattermostMattermost10.11.12unaffected

Weaknesses

  • CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References