Mattermost versions from 10.11.0 to 11.4.0 allow unauthenticated users to trigger a denial of service by embedding external SVG images in link previews, causing the web and desktop applications to crash due to improper handling of such content. This vulnerability stems from a flaw that fails to block rendering of external SVG files, leading to application instability and service interruption. The weakness is identified as CWE‑754, involving improper release of resources.

The affected product is Mattermost Server. Versions 11.4.x up to and including 11.4.0, 11.3.x up to 11.3.1, 11.2.x up to 11.2.3, and 10.11.x up to 10.11.11 are vulnerable. All installations of Mattermost older than 11.5.0, 11.4.1, 11.3.2, 11.2.4, or 10.11.12 must be updated to address the issue.

The vulnerability carries a CVSS base score of 4.3, indicating low to medium severity, and an EPSS estimate below 1%, suggesting a low probability of widespread exploitation. It is not listed in CISA’s KEV catalog. The attack vector is inferred to be unauthenticated users accessing link previews containing malicious external SVGs, which can be triggered simply by creating or viewing issues or pull requests that reference such content. Attackers do not need privileged access; the crash can deny service to all users of a Mattermost instance.