CVE-2026-20719

MEDIUM

DoS via URL Previews Rendering Malicious SVGs

Title source: cna
STIX 2.1

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00595
https://mattermost.com/security-updates

Scores

CVSS v3 4.3
EPSS 0.0035
EPSS Percentile 26.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-754
Status published
Products (11)
Mattermost/Mattermost 10.11.0 - 10.11.11
Mattermost/Mattermost 10.11.12
Mattermost/Mattermost 11.2.0 - 11.2.3
Mattermost/Mattermost 11.2.4
Mattermost/Mattermost 11.3.0 - 11.3.1
Mattermost/Mattermost 11.3.2
Mattermost/Mattermost 11.4.0
mattermost/mattermost 11.4.0-rc1 - 11.4.1Go
Mattermost/Mattermost 11.4.1
Mattermost/Mattermost 11.5.0
... and 1 more
Published Mar 25, 2026
Tracked Since Mar 25, 2026