CVE-2026-3495: Mattermost doesn't escape some variables that could contain malicious content during error page composition

May 18, 2026 (updated June 1, 2026)

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

References

github.com/advisories/GHSA-jx93-pf6x-874r
github.com/mattermost/mattermost/commit/5a1ea95044dc2d1ca601bfe9a4c1bc17990f3872
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-3495

Code Behaviors & Features

Detect and mitigate CVE-2026-3495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →