CVE-2026-3108

Source
https://cve.org/CVERecord?id=CVE-2026-3108
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3108.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3108
Aliases
Published
2026-03-26T16:16:49.790Z
Modified
2026-07-08T08:05:02.457460533Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Terminal Escape Injection in mmctl Report Posts Command
Details

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3108.json",
    "cna_assigner": "Mattermost",
    "cwe_ids": [
        "CWE-150"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.2.0"
                },
                {
                    "last_affected": "11.2.2"
                },
                {
                    "introduced": "10.11.0"
                },
                {
                    "last_affected": "10.11.10"
                },
                {
                    "introduced": "11.4.0"
                },
                {
                    "last_affected": "11.4.0"
                },
                {
                    "introduced": "11.3.0"
                },
                {
                    "last_affected": "11.3.1"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type
GIT
Repo
https://github.com/mattermost/mattermost
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:11.4.0:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "10.11.0"
        },
        {
            "fixed": "10.11.11"
        },
        {
            "introduced": "11.2.0"
        },
        {
            "fixed": "11.2.3"
        },
        {
            "introduced": "11.3.0"
        },
        {
            "fixed": "11.3.2"
        },
        {
            "introduced": "11.4.0"
        },
        {
            "last_affected": "11.4.0"
        }
    ]
}

Affected versions

11.*
11.4.0
@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@11.*
@mattermost/client@11.3.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@11.*
@mattermost/types@11.3.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@11.*
mattermost-redux@11.3.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.10
v10.11.11-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.11.8
v10.11.9
v10.11.9-rc1
v11.*
v11.2.0
v11.2.1
v11.2.1-rc1
v11.2.2
v11.3.0
v11.3.0-rc3
v11.3.0-rc4
v11.3.1
v11.3.1-rc1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3108.json"