Mattermost Desktop App <=6.1 URL Injection Crash via Popup
CVE-2026-3471 Published on May 18, 2026
Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App
Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618
Vulnerability Analysis
CVE-2026-3471 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Improper Authorization in Handler for Custom URL Scheme
The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme. Mobile platforms and other architectures allow the use of custom URL schemes to facilitate communication between applications. In the case of iOS, this is the only method to do inter-application communication. The implementation is at the developer's discretion which may open security flaws in the application. An example could be potentially dangerous functionality such as modifying files through a custom URL scheme.
Products Associated with CVE-2026-3471
Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.
Affected Versions
Mattermost:- Before and including 6.0.1 is affected.
- Before and including 5.4.13 is affected.
- Version 6.2.0 is unaffected.
- Version 6.1.1.0 is unaffected.
- Version 5.13.5.0 is unaffected.