CVE-2025-63828

MEDIUM

Backdrop CMS 1.32.1 - Host Header Injection

Title source: llm

Description

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

References (2)

[Release Notes] https://github.com/mertdurum06/BackdropCms-1.32.1/

View Writeup ZIP pw:eip

[Exploit] https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (2)

backdrop/backdrop 0Packagist

backdropcms/backdrop_cms 1.32.1

Published Nov 18, 2025

Tracked Since Feb 18, 2026