CVE-2026-20719

MEDIUM4.3EPSS 0.07%

Mattermost: Authenticated DoS through failure to prevent rendering of external SVGs on link embeds

Published: 3/25/2026Modified: 3/30/2026

Description

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub. Mattermost Advisory ID: MMSA-2026-00595

Affected packages (1)

Go/github.com/mattermost/mattermost/server/v8>= 11.4.0-rc1, < 11.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-20719
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates