CVE-2026-3108

Summary

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.2.0 <= 11.2.2affected
MattermostMattermost10.11.0 <= 10.11.10affected
MattermostMattermost11.4.0 <= 11.4.0affected
MattermostMattermost11.3.0 <= 11.3.1affected
MattermostMattermost11.5.0unaffected
MattermostMattermost11.2.3unaffected
MattermostMattermost10.11.11unaffected
MattermostMattermost11.4.1unaffected
MattermostMattermost11.3.2unaffected

Weaknesses

  • CWE-150: CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References