Skip to main content

Mattermost CVE-2026-3495

| EUVD-2026-30742 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 Mattermost GHSA-jx93-pf6x-874r
XSS Mattermost
3.8
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 18, 2026 - 08:15 vuln.today

DescriptionNVD

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

AnalysisAI

Cross-site scripting (XSS) in Mattermost Server 10.11.0-10.11.13 and 11.5.0-11.5.1 enables authenticated administrators to inject JavaScript code through unescaped variables in error page templates. Exploitation requires high-privilege (PR:H) administrative access to site configuration settings, limiting real-world risk despite network-based attack vector (AV:N). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-3495 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy