CVE-2026-3495
LOW 3.8Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622
NO EXPLOITATION SIGNALS
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 4th percentile
○ In CISA KEV
○ Public exploit / PoC
Impact if exploited
3.8CVSS 3.1 · LOW
- ConfidentialityLow
- IntegrityLow
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires an admin / high-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Weakness (CWE)
- CWE-79: Cross-site scripting (XSS)
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N