CVE-2026-32616

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201
https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-16 14:19

Updated : 2026-03-16 14:53

NVD link : CVE-2026-32616

Mitre link : CVE-2026-32616

CVE.ORG link : CVE-2026-32616

JSON object : View

Products Affected

No product.

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2026-32616", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-16T14:19:39.393", "references": [{"url": "https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201", "source": "security-advisories@github.com"}, {"url": "https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201."}, {"lang": "es", "value": "Pigeon es un tabl\u00f3n de mensajes/bloc de notas/sistema social/blog. Antes de 1.0.201, la aplicaci\u00f3n utiliza $_SERVER['HTTP_HOST'] sin validaci\u00f3n para construir URLs de verificaci\u00f3n de correo electr\u00f3nico en los flujos de registro y resendmail. Un atacante puede manipular el encabezado Host en la solicitud HTTP, haciendo que el enlace de verificaci\u00f3n enviado al correo electr\u00f3nico del usuario apunte a un dominio controlado por el atacante. Esto puede llevar a la toma de control de cuenta mediante el robo del token de verificaci\u00f3n de correo electr\u00f3nico. Esta vulnerabilidad est\u00e1 corregida en 1.0.201."}], "lastModified": "2026-03-16T14:53:07.390", "sourceIdentifier": "security-advisories@github.com"}