{"id":"GHSA-42x9-rr3c-gr59","summary":"Mattermost Server vulnerable to XSS through channel headers","details":"An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and 3.9.2. XSS could occur via a channel header.","aliases":["CVE-2017-18907","GO-2026-4459"],"modified":"2026-02-19T20:56:05.367927Z","published":"2022-05-24T17:21:06Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2026-02-06T22:44:36Z","cwe_ids":["CWE-79"],"nvd_published_at":"2020-06-19T20:15:00Z","severity":"MODERATE"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18907"},{"type":"WEB","url":"https://github.com/mattermost/mattermost/commit/312269ad0bd166174f07f9df7391fce714601600"},{"type":"WEB","url":"https://github.com/mattermost/mattermost/commit/4519b03d95e8bfe1b2f74094673ae1a2f39f6b47"},{"type":"WEB","url":"https://github.com/mattermost/mattermost/commit/a18479df0940be8503c9b88993490741793eba9e"},{"type":"PACKAGE","url":"https://github.com/mattermost/mattermost"},{"type":"WEB","url":"https://mattermost.com/security-updates"}],"affected":[{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.9.2-0.20170714014920-312269ad0bd1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-42x9-rr3c-gr59/GHSA-42x9-rr3c-gr59.json"}},{"package":{"name":"github.com/mattermost/mattermost-server","ecosystem":"Go","purl":"pkg:golang/github.com/mattermost/mattermost-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.10.0"},{"fixed":"3.10.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-42x9-rr3c-gr59/GHSA-42x9-rr3c-gr59.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}