CVE-2026-3108 HIGH

CVE-2026-3108: Terminal Escape Injection in mmctl Report Posts Command

Vendor Mattermost
Product Mattermost
Weakness CWE-150
Published March 26, 2026
Last update March 27, 2026

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated