CVE-2026-3471

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published May 18, 2026

Vendor unknown

Description

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling { {window.open('javascript:alert()');} }. Mattermost Advisory ID: MMSA-2026-00618

References

https://mattermost.com/security-updates