CVE-2026-6333
MEDIUM WAF: Medium
CVSS 5.0
Published: 2026-05-18
CWE-918
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582
WAF Coverage Analysis
Server-Side Request Forgery (SSRF)
Medium WAF Coverage
OWASP: A10:2021 SSRF
934xxx - Node.js / Generic Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| mattermost | mattermost_server | 10.11.0 - 10.11.14 |
| mattermost | mattermost_server | 11.5.0 - 11.5.2 |
References
- mattermost.com (Vendor Advisory)