CVE-2019-16645

HIGH

Embedthis GoAhead 2.5.0 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16645. PoCs published by Ramikan.

AI-analyzed exploit summary The exploit demonstrates a Host Header Injection vulnerability in GoAhead Web Server 2.5.0, allowing an attacker to spoof the Host header and redirect users to malicious sites. The PoC includes HTTP requests showing how the server trusts and reflects the Host header in redirects.

Description

An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.

Exploits (1)

exploitdb WORKING POC
by Ramikan · textremotemultiple
https://www.exploit-db.com/exploits/47439

The exploit demonstrates a Host Header Injection vulnerability in GoAhead Web Server 2.5.0, allowing an attacker to spoof the Host header and redirect users to malicious sites. The PoC includes HTTP requests showing how the server trusts and reflects the Host header in redirects.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: GoAhead Web Server 2.5.0
No auth needed
Prerequisites: Access to the target web server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.6
EPSS 0.0818
EPSS Percentile 94.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

CWE
CWE-94
Status published
Products (1)
embedthis/goahead 2.5.0
Published Sep 20, 2019
Tracked Since Feb 18, 2026