| Title | MediaCrush 1.0 Improper Neutralization of HTTP Headers for Scripting Syntax |
|---|
| Description | An application-controlled Host header is read and trusted in mediacrush/paths.py via request.headers["Host"].strip(). An attacker who can send arbitrary HTTP requests can control that value. This may allow generation of attacker-controlled absolute URLs, cache poisoning, password-reset link manipulation, and other Host header attacks. |
|---|
| Source | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/mediacrush.md |
|---|
| User | lakshay12311 (UID 91298) |
|---|
| Submission | 11/09/2025 18:47 (7 months ago) |
|---|
| Moderation | 11/30/2025 15:04 (21 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 333813 [MediaCrush 1.0.0/1.0.1 Header /mediacrush/paths.py Host http headers for scripting syntax] |
|---|
| Points | 19 |
|---|