CVE-2026-3495

LOW

Mattermost 10.11.0-10.11.13 and 11.5.0-11.5.1 - Stored Cross-Site Scripting in Error Page Configuration

Title source: llm
STIX 2.1

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory
MMSA-2026-00622
https://mattermost.com/security-updates

Scores

CVSS v3 3.8
EPSS 0.0003
EPSS Percentile 8.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (6)
Mattermost/Mattermost 10.11.0 - 10.11.13
Mattermost/Mattermost 10.11.14
Mattermost/Mattermost 11.5.0 - 11.5.1
Mattermost/Mattermost 11.5.2
Mattermost/Mattermost 11.6.0
mattermost/mattermost_server 10.11.0 - 10.11.14
Published May 18, 2026
Tracked Since May 18, 2026