CVE-2026-32616

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32616

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32616.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32616

Aliases

GHSA-rrj4-9wgq-prcr

Published

2026-03-13T21:12:40.529Z

Modified

2026-04-02T13:25:08.536521Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Pigeon has a Host Header Injection in email verification flow

Details

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $SERVER['HTTPHOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32616.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-74"
    ]
}

References

Affected packages

Git / github.com/kasuganosoras/pigeon

Affected ranges

Type: GIT
Repo: https://github.com/kasuganosoras/pigeon
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3dbf55e7c66098a9f952f790efb753702d7227c6

Affected versions

1.*

1.0.150

1.0.155

1.0.156

1.0.160

1.0.162

1.0.168

1.0.172

1.0.175

1.0.175.1

1.0.175.2

1.0.175.3

1.0.177

1.0.181

1.0.182

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32616.json"