Mattermost versions before 11.6.0 (specifically 11.5.x up to 11.5.1, 10.11.x up to 10.11.13, and 11.4.x up to 11.4.3) do not validate the content of images that are retrieved through the image proxy. An attacker who controls an image origin can serve an SVG file that is labeled with a non‑SVG Content‑Type header, such as image/png, and embed it in an og:image meta tag or a Markdown image link within a message. The image proxy forwards the file unchanged to the client, so the victim’s browser parses the SVG and triggers a client‑side denial of service. This flaw is a form of insecure content‑type handling (CWE‑754) and results in a client‑side denial of service that fails over the document rendering process. The overall severity is reflected in a CVSS score of 4.3.

Any Mattermost instance running version 11.5.1 or earlier of the 11.5 series, 10.11.13 or earlier of the 10.11 series, or 11.4.3 or earlier of the 11.4 series is impacted. The official remedy is to upgrade to 11.6.0, 11.5.2, 10.11.14, or 11.4.4 respectively, or any later release.

The CVSS score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. The attack requires an attacker to control an image‑serving domain and embed the malicious SVG in a message that a user will view; based on the description, it is inferred that the attacker does not require privileged access to the Mattermost server. Therefore the exploitation probability is low, but the impact is that any user who renders the compromised content will experience a client‑side denial of service. Organizational risk is limited to environments where end users routinely view untrusted images in Mattermost posts.