πŸ” CVE Alert

CVE-2026-6333

LOW 3.5

SSRF via Host Header Spoofing in Custom Slash Commands

CVSS Score
3.5
EPSS Score
0.0%
EPSS Percentile
0th

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582

CWE CWE-918
Vendor mattermost
Product mattermost
Published May 18, 2026
Stay Ahead of the Next One

Get instant alerts for mattermost mattermost

Be the first to know when new low vulnerabilities affecting mattermost mattermost are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

Mattermost / Mattermost
11.5.0 ≀ 11.5.1 10.11.0 ≀ 10.11.13

References

NVD β†— CVE.org β†— EPSS Data β†—
mattermost.com: https://mattermost.com/security-updates

Credits

Juho ForsΓ©n