GHSA-3439-vqgj-2gcf

Source

https://github.com/advisories/GHSA-3439-vqgj-2gcf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3439-vqgj-2gcf/GHSA-3439-vqgj-2gcf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3439-vqgj-2gcf

Aliases

CVE-2026-3108

Published

2026-03-26T18:31:42Z

Modified

2026-03-31T23:17:38.920479Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

Details

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking. Mattermost Advisory ID: MMSA-2026-00599.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2026-03-31T23:02:43Z",
    "nvd_published_at": "2026-03-26T17:16:41Z",
    "cwe_ids": [
        "CWE-150"
    ]
}

References

Affected packages

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

11.4.0-rc1

Fixed

11.4.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3439-vqgj-2gcf/GHSA-3439-vqgj-2gcf.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

11.3.0-rc1

Fixed

11.3.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3439-vqgj-2gcf/GHSA-3439-vqgj-2gcf.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

11.2.0-rc1

Fixed

11.2.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3439-vqgj-2gcf/GHSA-3439-vqgj-2gcf.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

10.11.0-rc1

Fixed

10.11.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3439-vqgj-2gcf/GHSA-3439-vqgj-2gcf.json"

github.com/mattermost/mattermost/server/v8

Package

Name: github.com/mattermost/mattermost/server/v8; View open source insights on deps.dev
Purl: pkg:golang/github.com/mattermost/mattermost/server/v8

Affected ranges

Type: SEMVER
Events: Introduced

8.0.0-20260105080200-d27a2195068d

Fixed

8.0.0-20260217110922-b7d4a1f1f59b

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-3439-vqgj-2gcf/GHSA-3439-vqgj-2gcf.json"