CVE-2026-3471

Summary

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost0 <= 6.0.1affected
MattermostMattermost0 <= 5.4.13affected
MattermostMattermost6.2.0unaffected
MattermostMattermost6.1.1.0unaffected
MattermostMattermost5.13.5.0unaffected

Weaknesses

  • CWE-939: CWE-939: Improper Authorization in Handler for Custom URL Scheme

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References