ExponentCMS <= 2.6 - Host Header Injection

An HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponentconstants.php. A modified HTTP header can change links on the webpage to an arbitrary value,leading to a possible attack vector for MITM. id: CVE-2021-38751 info: name: ExponentCMS = 2.6 - Host Header Injection author:...

EUVD-2020-20522

Malware in sbrugna...

CVE-2021-20101

Machform prior to version 16 is vulnerable to HTTP host header injection due to improperly validated host headers. This could cause a victim to receive malformed content...

CVE-2020-28031

eramba through c2.8.1 allows HTTP Host header injection with for example resultant wkhtml2pdf PDF printing by authenticated users...

CVE-2025-40631

HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected...

PT-2025-21634 · Icewarp · Icewarp Mail Server

Name of the Vulnerable Software and Affected Versions: Icwarp Mail Server version 11.4.0 Description: The issue allows for HTTP host header injection, enabling the execution of arbitrary JavaScript code on page load when a user interacts with a malicious link. This is achieved by modifying the Ho...

Couchbase < 7.2.6 / 7.6.x < 7.6.2 HTTP Host Header Injection

The version of Couchbase installed on the remote host is before 7.2.6, and 7.6.x before 7.6.2. It is, therefore, affected by a HTTP Host header injection. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL...

CVE-2021-20101

Machform prior to version 16 is vulnerable to HTTP host header injection due to improperly validated host headers. This could cause a victim to receive malformed content...

CVE-2020-28031

CVE-2020-28031 affects eramba up to version 2.8.1, where HTTP Host header injection is possible. The impact described is that authenticated users can leverage wkhtml2pdf to print PDFs due to this header manipulation. The provided connected sources confirm the vulnerability description but do not ...

CVE-2018-1943

IBM Cloud Private 3.1.0 and 3.1.1 is vulnerable to HTTP HOST header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker t...

Inflection: HTTP Host Header Injection on app.goodhire.com

Researcher reported an issue that was previously reported by a different researcher and subsequently removed from program scope and then requested that we publicly disclose the report after closing it as a duplicate...