79 matches found
CVE-2026-55791
Craft CMS is a content management system CMS. Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default...
CVE-2026-55791
Craft CMS vulnerability CVE-2026-55791 enables SSRF and Arbitrary JavaScript Injection via /actions/app/resource-js when assetManager.cacheSourcePaths is false and trustedHosts is permissive. An attacker can poison Host/X-Forwarded-Host to hijack $baseUrl, causing Craft::createGuzzleClient()->...
CVE-2026-55791 Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
Craft CMS is a content management system CMS. Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default...
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...
CVE-2026-34835
A flaw was found in Rack. A remote attacker could exploit this by sending a specially crafted Host header containing characters not permitted in standard hostnames. This malformed header bypasses hostname validation in applications using Rack::Request, leading to host header poisoning. This can...
EUVD-2026-18478
Rack::Request accepts invalid Host characters, enabling host allowlist bypass...
DEBIAN-CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...
UBUNTU-CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...
CVE-2026-34835
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...
CVE-2026-34835
Rack exposes a vulnerability in Rack::Request where Host header parsing uses an AUTHORITY regex that accepts characters not allowed by RFC hostnames (e.g., /, ?, #, @). Versions affected: 3.0.0.beta1 through 3.1.20, and 3.2.0 through 3.2.5. This can allow host header poisoning when apps rely on r...
CVE-2026-34835 Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...
PT-2026-29857
Rack versions 3.0.0.beta1 through 3.1.21, and 3.2.0 through 3.2.6 are affected by an issue where the Rack::Request component improperly parses the Host header, accepting characters not permitted in RFC-compliant hostnames such as /, ?, , and @. This can lead to host header poisoning in applicatio...
PT-2026-29913
Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects
Summary actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs for example, https://hostnamepath. In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing...
GHSA-VHJ5-X93P-67JW actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects
Summary actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs for example, https://hostnamepath. In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing...
mailcow 2025-01a - Host Header Password Reset Poisoning
Exploit Title: mailcow 2025-01a - Host Header Password Reset Poisoning Date: 2025-10-21 Exploit Author: Iam Alvarez AKA Groppoxx / Maizeravla Vendor Homepage: https://mailcow.email Software Link: https://github.com/mailcow/mailcow-dockerized Version: 2025-01a REQUIRED Tested on: Ubuntu 22.04.5 LT...
CVE-2026-26747
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.forceurl" is not set and default is "false". The application generates absolute URLs suc...
CVE-2026-26747
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.forceurl" is not set and default is "false". The application generates absolute URLs suc...
CVE-2026-26747
Monica 4.1.2 is affected by a Host Header Poisoning issue caused by improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, compounded by the default app.force_url being unset/false. The app constructs absolute URLs (e.g., password reset links) using the user-supplied H...
mailcow: Dockerized Host Header Password Reset Poisoning Scanner
This Metasploit module adds a scanner for a Host header poisoning vulnerability in mailcow:dockerized versions prior to 2025-01a. The vulnerability occurs because the application improperly trusts the HTTP Host header when generating password reset links. By supplying a crafted Host header during...