VYPR
Medium severity4.3NVD Advisory· Published May 15, 2026· Updated May 18, 2026

CVE-2026-4054

CVE-2026-4054

Description

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header (e.g. image/png) embedded in an og:image meta tag or Markdown image link.. Mattermost Advisory ID: MMSA-2026-00630

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/mattermost/mattermost-serverGo
>= 11.5.0, < 11.5.211.5.2
github.com/mattermost/mattermost-serverGo
>= 0.0.0-20250731163400-5b955468ea1e, < 0.0.0-20260414103857-b21ef302025e0.0.0-20260414103857-b21ef302025e
github.com/mattermost/mattermost-serverGo
>= 11.4.0, < 11.4.411.4.4

Affected products

2
  • Mattermost/Mattermostinferred2 versions
    <=11.5.1,<=10.11.13,<=11.4.3+ 1 more
    • (no CPE)range: <=11.5.1,<=10.11.13,<=11.4.3
    • cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*range: >=10.11.0,<10.11.14

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.