CVE-2026-20719
Published: 25 March 2026
Summary
CVE-2026-20719 is a medium-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the specific flaw in Mattermost that fails to prevent external SVG rendering in link embeds.
Mandates validation of inputs from external sources like GitHub links to block or sanitize malicious external SVGs before processing embeds.
Requires filtering of output information in link embeds to prevent transmission of external SVGs that could crash the webapp and desktop app.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in SVG embed rendering directly enables application exploitation resulting in client-side DoS/crash (T1499.004).
NVD Description
Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue…
more
or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595
Deeper analysisAI
CVE-2026-20719 is a vulnerability in Mattermost versions 11.4.x up to and including 11.4.0, 11.3.x up to 11.3.1, 11.2.x up to 11.2.3, and 10.11.x up to 10.11.11, where the software fails to prevent the rendering of external SVGs in link embeds. This issue, tied to CWE-754, affects the Mattermost webapp and desktop app. It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) and was published on 2026-03-25.
The vulnerability can be exploited by unauthenticated users who create an issue or pull request on GitHub containing a malicious external SVG link embed, which is then rendered in Mattermost. Despite the description indicating unauthenticated access, the CVSS vector specifies low privileges (PR:L) are required. Exploitation crashes the Mattermost webapp and desktop app, causing a limited denial-of-service impact on availability.
Mattermost Advisory ID MMSA-2026-00595 addresses this vulnerability, with further details available at https://mattermost.com/security-updates. Security practitioners should review the advisory for recommended patches and mitigation guidance.
Details
- CWE(s)