CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App

🗓️ 18 May 2026 08:45:44Reported by MattermostType

Opening a window with javascript:alert in a pop-up crashes the Mattermost Desktop App on vulnerable versions.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-3471	18 May 202608:45	–	attackerkb
CNNVD	Mattermost Desktop App 安全漏洞	18 May 202600:00	–	cnnvd
CVE	CVE-2026-3471	18 May 202608:45	–	cve
EUVD	EUVD-2026-30757	18 May 202608:45	–	euvd
Tenable Nessus	Mattermost Desktop < 5.13.5 / < 6.0.2 / < 6.1.1 Multiple Vulnerabilities (MMSA-2026-00618 / MMSA-2026-00633)	28 May 202600:00	–	nessus
NVD	CVE-2026-3471	18 May 202609:16	–	nvd
Positive Technologies	PT-2026-41651	18 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-3471	5 Jun 202619:37	–	redhatcve
Vulnrichment	CVE-2026-3471 Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Desktop App	18 May 202608:45	–	vulnrichment

[
  {
    "defaultStatus": "unaffected",
    "product": "Mattermost",
    "vendor": "Mattermost",
    "versions": [
      {
        "lessThanOrEqual": "6.0.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "5.4.13",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "version": "6.2.0",
        "status": "unaffected"
      },
      {
        "version": "6.1.1.0",
        "status": "unaffected"
      },
      {
        "version": "5.13.5.0",
        "status": "unaffected"
      }
    ]
  }
]

Source	Link
mattermost	www.mattermost.com/security-updates

18 May 2026 08:45Current

CVSS 3.16.5

EPSS0.0004

CWE-939