CVE-2026-3471 | THREATINT

Description

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618

PUBLISHED Reserved 2026-03-03 | Published 2026-05-18 | Updated 2026-05-18 | Assigner Mattermost

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Problem types

CWE-939: Improper Authorization in Handler for Custom URL Scheme

Product status

Default status

unaffected

Any version

affected

Any version

affected

6.2.0

unaffected

6.1.1.0

unaffected

5.13.5.0

unaffected

Credits

game0v3r finder

References

mattermost.com/security-updates (MMSA-2026-00618) vendor-advisory

cve.org (CVE-2026-3471)

nvd.nist.gov (CVE-2026-3471)

Download JSON