CVE-2026-20719
SVG Rendering Vulnerability in Mattermost Allows Denial of Service
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.12 (exc) |
| mattermost | mattermost_server | From 11.2.0 (inc) to 11.2.4 (exc) |
| mattermost | mattermost_server | From 11.3.0 (inc) to 11.3.2 (exc) |
| mattermost | mattermost_server | From 11.4.0 (inc) to 11.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects certain versions of Mattermost (11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11) where the application fails to prevent rendering of external SVG files on link embeds.
Because of this failure, unauthenticated users can exploit this by creating an issue or pull request on GitHub that includes such SVGs, which causes the Mattermost web and desktop applications to crash.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service condition where the Mattermost webapp and desktop app can be crashed by unauthenticated users.
This could disrupt communication and collaboration within an organization using the affected Mattermost versions.