CVE-2026-20719

MEDIUM

DoS via URL Previews Rendering Malicious SVGs

Title source: cna
STIX 2.1

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595

References (1)

Scores

CVSS v3 4.3
EPSS 0.0006
EPSS Percentile 19.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-754
Status published
Products (11)
Mattermost/Mattermost 10.11.0 - 10.11.11
Mattermost/Mattermost 10.11.12
Mattermost/Mattermost 11.2.0 - 11.2.3
Mattermost/Mattermost 11.2.4
Mattermost/Mattermost 11.3.0 - 11.3.1
Mattermost/Mattermost 11.3.2
Mattermost/Mattermost 11.4.0
mattermost/mattermost 11.4.0-rc1 - 11.4.1Go
Mattermost/Mattermost 11.4.1
Mattermost/Mattermost 11.5.0
... and 1 more
Published Mar 25, 2026
Tracked Since Mar 25, 2026