CVE-2026-3495
Stored XSS in Mattermost via Error Page Configuration
Publication date: 2026-05-18
Last updated on: 2026-05-19
Assigner: Mattermost, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mattermost | mattermost_server | From 10.11.0 (inc) to 10.11.14 (exc) |
| mattermost | mattermost_server | From 11.5.0 (inc) to 11.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Mattermost versions 11.5.x up to 11.5.1 and 10.11.x up to 10.11.13. It occurs because some variables that may contain malicious content are not properly escaped during the composition of error pages. An attacker who has access to edit certain site configuration values can inject malicious JavaScript code into these variables, which then gets executed when the error page is displayed.
How can this vulnerability impact me? :
The vulnerability allows an attacker with permission to edit some site configuration to execute malicious JavaScript code in the context of the Mattermost application. This can lead to limited impacts such as information disclosure or manipulation of the user interface, as indicated by the CVSS score which reflects low confidentiality and integrity impacts but no availability impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Mattermost to a version later than 11.5.1 for the 11.5.x series or later than 10.11.13 for the 10.11.x series, as these versions fix the issue with unescaped variables that allow malicious code injection.
Additionally, restrict access to site configuration editing to trusted administrators only, since the vulnerability requires such access to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Mattermost versions 11.5.x <= 11.5.1 and 10.11.x <= 10.11.13 allows an attacker with access to edit some site configuration to inject malicious JavaScript code via unescaped variables during error page composition. This could lead to limited confidentiality and integrity impacts as indicated by the CVSS score (Confidentiality: Low, Integrity: Low).
However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.