CVE-2026-20719: Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds

March 25, 2026 (updated March 30, 2026)

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub. Mattermost Advisory ID: MMSA-2026-00595

References

github.com/advisories/GHSA-86vc-mg26-fj6x
github.com/mattermost/mattermost
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-20719

Code Behaviors & Features

Detect and mitigate CVE-2026-20719 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →