Terminal Escape Injection in mmctl Report Posts Command_CVE-2026-3108

8 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599

Basic Information

ID CVE-2026-3108

Source Mattermost

Published Mar 26, 2026 at 16:16

Modified Mar 27, 2026 at 03:55

Affected Product

Vendor Mattermost

Product Mattermost

Version 11.2.0

Affected Versions Mattermost Mattermost 11.2.0
Mattermost Mattermost 10.11.0
Mattermost Mattermost 11.4.0
Mattermost Mattermost 11.3.0

CWE Classification

CWE-150

References

mattermost.com /security-updates

{
    "lastseen": "",
    "description": "Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking.. Mattermost Advisory ID: MMSA-2026-00599",
    "published": "2026-03-26T16:16:49.790Z",
    "modified": "2026-03-27T03:55:41.498Z",
    "type": "cve",
    "title": "Terminal Escape Injection in mmctl Report Posts Command",
    "source": "Mattermost",
    "references": "https://mattermost.com/security-updates",
    "id": "CVE-2026-3108",
    "bulletinFamily": "",
    "cwe": [
        "CWE-150"
    ],
    "cvelist": null,
    "sourceData": "Mattermost Mattermost 11.2.0\nMattermost Mattermost 10.11.0\nMattermost Mattermost 11.4.0\nMattermost Mattermost 11.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Mattermost",
    "version": "11.2.0",
    "vendor": "Mattermost",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}