Nixpkgs Security Tracker

Permalink CVE-2026-1628

4.6 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

updated 2 weeks, 6 days ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 6 days ago
@LeSuisse removed
5 packages
- mattermost
- mattermostLatest
- python312Packages.mattermostdriver
- python313Packages.mattermostdriver
- python314Packages.mattermostdriver
2 weeks, 6 days ago
@LeSuisse removed
2 maintainers
- @liff
- @jokogr
2 weeks, 6 days ago
@LeSuisse accepted 2 weeks, 6 days ago
@LeSuisse published on GitHub 2 weeks, 6 days ago

Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.

Mattermost Desktop App versions <=5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server. Mattermost Advisory ID: MMSA-2026-00596

References

MMSA-2026-00596 vendor-advisory

Affected products

Mattermost

==5.13.4.0
=<5.13.3

Matching in nixpkgs

pkgs.mattermost-desktop

Mattermost Desktop client

nixos-unstable 6.0.4
- nixpkgs-unstable 6.0.4
- nixos-unstable-small 6.0.4
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

Ignored packages (5)

pkgs.mattermost

Mattermost is an open source platform for secure collaboration across the entire software development lifecycle

nixos-unstable 10.11.12
- nixpkgs-unstable 10.11.12
- nixos-unstable-small 10.11.12
nixos-25.11 10.11.11
- nixos-25.11-small 10.11.12
- nixpkgs-25.11-darwin 10.11.11