Open Redirection

@lobehub/chat is vulnerable to Open Redirection. The vulnerability is due to improper validation of X-Forwarded- and Host headers in the OIDC redirect handling logic, which allows an attacker to inject a malicious host and redirect users to arbitrary domains...

EUVD-2018-12522

Malware in sbrugna...

GHSA-99PM-CH96-CCP2 Flask-AppBuilder open redirect vulnerability using HTTP host injection

Impact Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Patches Flask-AppBuilder 4.6.2 introduced the FABSAFEREDIRECTHOSTS configuration variable, which allows administrators to explicit...

Flask-AppBuilder open redirect vulnerability using HTTP host injection

Impact Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Patches Flask-AppBuilder 4.6.2 introduced the FABSAFEREDIRECTHOSTS configuration variable, which allows administrators to explicit...

CVE-2025-32962 Flask-AppBuilder open redirect vulnerability using HTTP host injection

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FABSAFEREDIRECTHOSTS...

CVE-2025-32962 Flask-AppBuilder open redirect vulnerability using HTTP host injection

Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FABSAFEREDIRECTHOSTS...

Flask-AppBuilder open redirect vulnerability using HTTP host injection

Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests...

CVE-2023-49097 ZITADEL vulnerable account takeover via malicious host header injection

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicio...

Beehive Forum 1.5.2 Account Takeover

Exploit Title: Beehive Forum - Account Takeover Date:08/05/2022. Exploit Author: Pablo Santiago Vendor Homepage: https://www.beehiveforum.co.uk/ Software Link: https://sourceforge.net/projects/beehiveforum/ Version: 1.5.2 Tested on: Kali Linux and Ubuntu 20.0.4 CVE N/A PoC:...

Dell Networking X-Series HOST Injection Vulnerability

Dell Networking X-Series is a series of intelligent managed switches from Dell, U.S. A HOST injection vulnerability exists in Dell Networking X-Series, which can be exploited by remote, unauthenticated attackers to poison web caches or trigger redirects by injecting arbitrary host header values...

Design/Logic Flaw

Machform prior to version 16 is vulnerable to HTTP host header injection due to improperly validated host headers. This could cause a victim to receive malformed content...

CVE-2019-16532

An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A malicious user can poison a web cache or trigger redirections...

CVE-2018-1943

IBM Cloud Private 3.1.0 and 3.1.1 is vulnerable to HTTP HOST header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker t...

sub6 - Web App Scanner

subdomain take over detector and crawler. Usage python sub6.py -i list.txt -o output.txt -s phpinfo.php -x 4 +Options -i input files twitterdomains.txt if many separate by comma -o output file twitterResult.txt -p protocol http or https -s suffix phpinfo.php used to look for ceratin files CTF mod...

Boozt Fashion AB: Http header injection

Researcher reported a Host injection vulnerability which caused redirect to happen to unwanted hostname...

SS-2015-013: X-Forwarded-Host request hostname injection

More info at https://www.silverstripe.org/software/download/security-releases/ss-2015-013/...

CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

More info at https://symfony.com/cve-2026-45065...

CVE-2026-45065: UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation → Off-Site //host URL Injection

More info at https://symfony.com/cve-2026-45065...