CVE-2026-3108 — Improper Neutralization of Escape, Meta, or Control Sequences in Mattermost Mattermost Server V8

CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences5 documents5 sources

Severity

8.8HIGHNVD

CNA8.0

EPSS

0.0%

top 87.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost Server V8 Mattermost Server Mattermost

Timeline

PublishedMar 26

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDmattermost/mattermost_server10.11.0 — 10.11.11+3

▶Gogithub.com/mattermost_mattermost_server_v811.4.0-rc1 — 11.4.1+4

▶CVEListV5mattermost/mattermost11.2.0 — 11.2.2+3

🔴Vulnerability Details

CVEList

Terminal Escape Injection in mmctl Report Posts Command↗2026-03-26

▶

GHSA

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences↗2026-03-26

▶

OSV

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences↗2026-03-26

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3108 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶