CVE-2026-2454

EUVD-2026-12510
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to handle incorrectly reported array lengths which allows malicious user to cause OOM errors and crash the server via sending corrupted msgpack frames within websocket messages to calls plugin. Mattermost Advisory ID: MMSA-2025-00537
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
MattermostCNA
5.8 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
mattermostmattermost
11.3.0 ≤
𝑥
≤ 11.3.0
mattermostmattermost
11.2.0 ≤
𝑥
≤ 11.2.2
mattermostmattermost
10.11.0 ≤
𝑥
≤ 10.11.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://mattermost.com/security-updates