CVE-2026-34835

A flaw was found in Rack. A remote attacker could exploit this by sending a specially crafted Host header containing characters not permitted in standard hostnames. This malformed header bypasses hostname validation in applications using Rack::Request, leading to host header poisoning. This can...

EUVD-2026-18478

Rack::Request accepts invalid Host characters, enabling host allowlist bypass...

DEBIAN-CVE-2026-34835

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...

UBUNTU-CVE-2026-34835

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...

CVE-2026-34835 Rack: `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...

CVE-2026-34835

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.hos...

CVE-2026-34835

Rack exposes a vulnerability in Rack::Request where Host header parsing uses an AUTHORITY regex that accepts characters not allowed by RFC hostnames (e.g., /, ?, #, @). Versions affected: 3.0.0.beta1 through 3.1.20, and 3.2.0 through 3.2.5. This can allow host header poisoning when apps rely on r...

PT-2026-29857

Rack versions 3.0.0.beta1 through 3.1.21, and 3.2.0 through 3.2.6 are affected by an issue where the Rack::Request component improperly parses the Host header, accepting characters not permitted in RFC-compliant hostnames such as /, ?, , and @. This can lead to host header poisoning in applicatio...

PT-2026-29913

Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...

actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects

Summary actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs for example, https://hostnamepath. In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing...

GHSA-VHJ5-X93P-67JW actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects

Summary actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs for example, https://hostnamepath. In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing...

mailcow 2025-01a - Host Header Password Reset Poisoning

Exploit Title: mailcow 2025-01a - Host Header Password Reset Poisoning Date: 2025-10-21 Exploit Author: Iam Alvarez AKA Groppoxx / Maizeravla Vendor Homepage: https://mailcow.email Software Link: https://github.com/mailcow/mailcow-dockerized Version: 2025-01a REQUIRED Tested on: Ubuntu 22.04.5 LT...

CVE-2026-26747

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.forceurl" is not set and default is "false". The application generates absolute URLs suc...

CVE-2026-26747

Monica 4.1.2 is affected by a Host Header Poisoning issue caused by improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, compounded by the default app.force_url being unset/false. The app constructs absolute URLs (e.g., password reset links) using the user-supplied H...

CVE-2026-26747

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.forceurl" is not set and default is "false". The application generates absolute URLs suc...

mailcow: Dockerized Host Header Password Reset Poisoning Scanner

This Metasploit module adds a scanner for a Host header poisoning vulnerability in mailcow:dockerized versions prior to 2025-01a. The vulnerability occurs because the application improperly trusts the HTTP Host header when generating password reset links. By supplying a crafted Host header during...

📄 mailcow: Dockerized Host Header Password Reset Poisoning

mailcow: dockerized versions prior to 2025-01a are vulnerable to Host header poisoning in the password reset workflow. The application incorrectly trusts the Host header when generating password reset links, allowing an attacker to inject an attacker-controlled domain into the reset URL. If a...

CVE-2022-31458

RTX TRAP v1.0 was discovered to be vulnerable to host header poisoning...

CVE-2024-32642

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...

CVE-2024-32642

Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6...