4.8
CVE-2026-3495
- EPSS 0.14%
- Veröffentlicht 18.05.2026 06:58:29
- Zuletzt bearbeitet 19.05.2026 17:37:07
- Quelle responsibledisclosure@mattermo
- CVE-Watchlists
- Unerledigt
Unescaped variables during error page composition
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mattermost ≫ Mattermost Server Version >= 10.11.0 < 10.11.14
Mattermost ≫ Mattermost Server Version >= 11.5.0 < 11.5.2
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.14% | 0.039 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| responsibledisclosure@mattermost.com | 3.8 | 1.2 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://mattermost.com/security-updates