CVE-2026-3495 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-3495

CVE-2026-3495

Published:May 18, 2026

Updated:June 11, 2026

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622

Affected Packages

https://github.com/mattermost/mattermost.git (GITHUB):

Affected version(s) >=v11.5.0 <v11.5.2

Fix Suggestion:

Update to version v11.5.2

https://github.com/mattermost/mattermost.git (GITHUB):

Affected version(s) >=v10.11.0 <v10.11.14

Fix Suggestion:

Update to version v10.11.14

github.com/mattermost/mattermost (GO):

Affected version(s) >=v10.11.0 <v10.11.14

Fix Suggestion:

Update to version v10.11.14

github.com/mattermost/mattermost (GO):

Affected version(s) >=v11.5.0 <v11.5.2

Fix Suggestion:

Update to version v11.5.2

Related Resources (4)

https://mattermost.com/security-updates

https://github.com/mattermost/mattermost/commit/5a1ea95044dc2d1ca601bfe9a4c1bc17990f3872

https://nvd.nist.gov/vuln/detail/CVE-2026-3495

https://github.com/mattermost/mattermost

Do you need more information?

CVSS v4

Base Score:

5.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

HIGH

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

3.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

EPSS

Base Score:

0.03