An issue exists in Mattermost Server prior to 4.1.0, 4.0.4, and 3.10.3. It allows CSV injection via a compliance report.
mattermost mattermost server