Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-1628
4.6 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.
Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596
References
-
MMSA-2026-00596 vendor-advisory
Affected products
Mattermost
- ==5.13.4.0
- =<5.13.3
Matching in nixpkgs
pkgs.mattermost
Mattermost is an open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermostLatest
Mattermost is an open source platform for secure collaboration across the entire software development lifecycle
pkgs.mattermost-desktop
Mattermost Desktop client
pkgs.python312Packages.mattermostdriver
Python Mattermost Driver
pkgs.python313Packages.mattermostdriver
Python Mattermost Driver
pkgs.python314Packages.mattermostdriver
Python Mattermost Driver
Package maintainers
-
@Kranzes Ilan Joselevich <personal@ilanjoselevich.com>
-
@fsagbuya Florian Agbuya <fa@m-labs.ph>
-
@numinit Morgan Jones <me+nixpkgs@numin.it>
-
@ryantm Ryan Mulligan <ryan@ryantm.com>
-
@mgdelacroix Miguel de la Cruz <mgdelacroix@gmail.com>
-
@liff Olli Helenius <liff@iki.fi>
-
@jokogr Ioannis Koutras <ioannis.koutras@gmail.com>
-
@globin Robin Gloster <mail@glob.in>