Cyber Resilience

CVE-2026-20719

Medium

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0007 21.9th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20719 is a medium-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-20719 is a vulnerability in Mattermost versions 11.4.x up to and including 11.4.0, 11.3.x up to 11.3.1, 11.2.x up to 11.2.3, and 10.11.x up to 10.11.11, where the software fails to prevent the rendering of external SVGs in link embeds. This issue, tied to CWE-754, affects the Mattermost webapp and desktop app. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) and was published on 2026-03-25.

The vulnerability can be exploited by unauthenticated users who create an issue or pull request on GitHub containing a malicious external SVG link embed, which is then rendered in Mattermost. Despite the description indicating unauthenticated access, the CVSS vector specifies low privileges (PR:L) are required. Exploitation crashes the Mattermost webapp and desktop app, causing a limited denial-of-service impact on availability.

Mattermost Advisory ID MMSA-2026-00595 addresses this vulnerability, with further details available at https://mattermost.com/security-updates. Security practitioners should review the advisory for recommended patches and mitigation guidance.

EU & UK References

Vulnerability details

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue…

more

or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in SVG embed rendering directly enables application exploitation resulting in client-side DoS/crash (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24458Same product: Mattermost Mattermost Server
CVE-2026-2454Same product: Mattermost Mattermost Server
CVE-2025-20621Same product: Mattermost Mattermost Server
CVE-2025-24490Same product: Mattermost Mattermost Server
CVE-2025-25274Same product: Mattermost Mattermost Server
CVE-2025-14273Same product: Mattermost Mattermost Server
CVE-2025-12421Same product: Mattermost Mattermost Server
CVE-2025-25068Same product: Mattermost Mattermost Server
CVE-2026-4858Same product: Mattermost Mattermost Server
CVE-2026-6346Same product: Mattermost Mattermost Server

Affected Assets

mattermost
mattermost server
10.11.0 — 10.11.12 · 11.2.0 — 11.2.4 · 11.3.0 — 11.3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the specific flaw in Mattermost that fails to prevent external SVG rendering in link embeds.

prevent

Mandates validation of inputs from external sources like GitHub links to block or sanitize malicious external SVGs before processing embeds.

prevent

Requires filtering of output information in link embeds to prevent transmission of external SVGs that could crash the webapp and desktop app.

References