2 matches found
EUVD-2026-20489
CI4MS Vulnerable to .env CRLF Injection via Unvalidated host Parameter in Install Controller...
GHSA-VFHX-5459-QHQH CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller
Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...