CVE-2026-3471 MEDIUM

CVE-2026-3471: Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App

Vendor Mattermost

Product Mattermost

Weakness CWE-939

Published May 18, 2026

Last update May 18, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618

Key dates

Disclosure timeline

May 18, 2026 CVE published

May 18, 2026 Record updated

Identifiers

CVE CVE-2026-3471

CWE CWE-939

CVSS 6.5 / MEDIUM

Affected versions

Vendor Mattermost

Product Mattermost

Affected ≤ 6.0.1

Vendor Mattermost

Product Mattermost

Affected ≤ 5.4.13