CVE-2026-3495

Summary

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost11.5.0 <= 11.5.1affected
MattermostMattermost10.11.0 <= 10.11.13affected
MattermostMattermost11.6.0unaffected
MattermostMattermost11.5.2unaffected
MattermostMattermost10.11.14unaffected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References