CVE-2026-32616
HIGHPigeon <1.0.201 Email Verification - Host Header Injection
Title source: manualDescription
Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr
X_Refsource_Misc x_refsource_misc
https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201
Scores
CVSS v3
8.2
EPSS
0.0021
EPSS Percentile
10.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (1)
kasuganosoras/Pigeon
< 1.0.201
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026