Description
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618
Published: 2026-05-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mattermost Desktop App fails to validate URLs that are loaded in a pop‑up window. A malicious server can supply a URL such as {{window.open('javascript:alert()');}}, which is parsed as a JavaScript URL and causes the application to crash. The flaw is identified as CWE‑939 (Improper Validation of URL). The impact is a loss of availability for the affected instance of the Desktop App, but there is no evidence of data disclosure or privilege escalation.

Affected Systems

Mattermost Desktop App versions up to 6.1, including 6.0.1 and 5.4.13.0. The issue appears only in these older releases; all newer releases contain a patch that prevents invalid URLs from being opened.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score is not available. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is a remote attacker controlling a server that hosts a link containing the malicious URL – the Desktop App will load it in a pop‑up window and crash. The vulnerability is straightforward to exploit once the attacker can direct a user to the crafted link, and the result is a denial of service to the affected instance. Because the flaw only crashes the application, it is less critical than a data breach but still significant because it can disrupt operations.

Generated by OpenCVE AI on May 18, 2026 at 10:21 UTC.

Remediation

Vendor Solution

Update Mattermost Desktop App to versions 6.2.0, 6.1.1.0, 5.13.5.0 or higher.

OpenCVE Recommended Actions

  • Upgrade Mattermost Desktop App to version 6.2.0 or newer.
  • If an upgrade to 6.2.0 is not possible, upgrade to version 6.1.1.0 or newer.
  • If an upgrade to 6.1.1.0 is not an option, upgrade to version 5.13.5.0 or newer.

Generated by OpenCVE AI on May 18, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Mon, 18 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost mattermost
Vendors & Products Mattermost
Mattermost mattermost

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618
Title Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App
Weaknesses CWE-939
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Mattermost Mattermost
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-05-18T08:45:44.576Z

Reserved: 2026-03-03T10:41:41.370Z

Link: CVE-2026-3471

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:22.847

Modified: 2026-05-18T09:16:22.847

Link: CVE-2026-3471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T10:30:23Z

Weaknesses