CVE-2025-63828

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-63828
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63828.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-63828
Aliases
Published
2025-11-18T18:16:13.753Z
Modified
2026-03-14T12:44:52.371802Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

References

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type
GIT
Repo
https://github.com/backdrop/backdrop
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bc843fd33929fd5231eb33b2c11cbbbd51580948
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.32.1"
        }
    ]
}

Affected versions

1.*
1.1.0
1.10.0
1.11.0
1.13.0-preview
1.14.0
1.14.0-preview
1.15.0
1.15.0-preview
1.16.0
1.16.0-preview
1.17.0
1.17.0-preview
1.18.0
1.18.0-preview
1.19.0
1.19.0-preview
1.2.0
1.20.0
1.20.0-preview
1.21.0
1.21.0-preview
1.22.0
1.22.0-preview
1.23.0
1.23.0-preview
1.24.0
1.24.0-preview
1.25.0
1.25.0-preview
1.26.0
1.26.0-preview
1.27.0
1.27.0-preview
1.28.0
1.28.0-preview
1.29.0
1.29.0-preview
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.30.0
1.30.0-preview
1.31.0
1.31.0-preview
1.32.0
1.32.0-preview
1.32.1
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.6.0
1.7.0
1.7.0-preview
v1.*
v1.0.0
v1.0.0-preview
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63828.json"