Description
Drawing-Captcha APP provides interactive, engaging verification for Web-Based Applications. The vulnerability is a Host Header Injection in the /register and /confirm-email endpoints. It allows an attacker to manipulate the Host header in HTTP requests to generate malicious email confirmation links. These links can redirect users to attacker-controlled domains. This vulnerability affects all users relying on email confirmation for account registration or verification. This vulnerability is fixed in 1.2.5-alpha-patch.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Drawing-Captcha/Drawing-Captcha-APP/security/advisories/GHSA-5pj8-fc6g-vv7m
Issue Tracking x_refsource_misc
https://github.com/Drawing-Captcha/Drawing-Captcha-APP/issues/30
Scores
CVSS v4
8.8
EPSS
0.0041
EPSS Percentile
32.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-601
Status
published
Products (1)
Drawing-Captcha/Drawing-Captcha-APP
< 1.2.5-alpha-patch
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026