CVE-2026-4054

Received Received - Intake

BaseFortify

Publication date: 2026-05-15

Last updated on: 2026-05-18

Assigner: Mattermost, Inc.

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link.. Mattermost Advisory ID: MMSA-2026-00630

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-15

Last Modified

2026-05-18

Generated

2026-06-10

EPSS Evaluated

2026-06-08

NVD

CVE-2026-4054

Affected Vendors & Products

Vendor	Product	Version / Range
mattermost	mattermost_server	From 10.11.0 (inc) to 10.11.14 (exc)
mattermost	mattermost_server	From 11.4.0 (inc) to 11.4.4 (exc)
mattermost	mattermost_server	From 11.5.0 (inc) to 11.5.2 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-754	The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Attack-Flow Graph

AI Quick Actions have not been generated yet.

Hi! I’m here to help you understand CVE-2026-4054. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-4054

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart