CVE-2026-29199 in phpBBالمعلومات

الملخص

بحسب MITRE • 04/05/2026

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Hackerone

حجز

04/03/2026

إفشاء

04/05/2026

الاعتدال

تمت الموافقة

إدخال

VDB-360937

CPE

جاهز

CWE

CWE-640 (مؤكد)

CVSS

8.1 (CISA-ADP)

EPSS

0.00030

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-29199
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-29199
CVE Details	https://www.cvedetails.com/cve/CVE-2026-29199/

التالي ▸نظرة عامة ◂ السابق

Do you know our Splunk app?

Download it now for free!