Primary

Context

Mattermost Unescaped Variable Vulnerability in Error Page Composition Allowing JavaScript Injection

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.5.x through 11.5.1 and 10.11.x through 10.11.13. The issue arises because the application fails to properly escape certain variables that may contain malicious content when generating error pages. This flaw enables an attacker with permission to modify site configuration to inject JavaScript into those variables, potentially leading to the execution of malicious code.

Impact

Exploitation of this vulnerability could allow for the injection and execution of malicious JavaScript code, potentially compromising the security of the affected Mattermost instance.

Remediation

Users can upgrade to Mattermost versions 11.7.0 or 11.7.0 to address this vulnerability.

Added: May 18, 2026, 8:22 AM

Updated: May 18, 2026, 8:22 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.4

exploitability

4.5

remediation

7.7

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

5.4

exploitability

4.5

remediation

7.7

relevance

8.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Unescaped Variable Vulnerability in Error Page Composition Allowing JavaScript Injection

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating