CVE-2026-29199 in phpBB情報

要約

〜によって MITRE • 2026年05月04日

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

責任者

Hackerone

予約する

2026年03月04日

公開

2026年05月04日

モデレーション

承諾済み

エントリ

VDB-360937

CPE

準備完了

CWE

CWE-640 (確認済み)

CVSS

8.1 (CISA-ADP)

EPSS

0.00030

KEV

いいえ

アクティビティ

非常低い

ソース

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-29199
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-29199
CVE Details	https://www.cvedetails.com/cve/CVE-2026-29199/

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!