CVE-2026-32616

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $SERVER'HTTPHOST' without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification lin...

HackerOne: Account Hijacking (Only rare case scenario)

Hi, This is a logical flaw in the application which may allow any arbitrary user to obtain account access of another user. Below is the exploit scenario which may lead to potential account takeover in certain circumstances: User changes email while he is logged in his own account Some wrong email...

Localize: Full path disclosure

I signed up for localize with [email protected], and localize sent me a verification link which was: http://www.localize.io/verify/e6be646b24pdd3w6d5c27ppa9a267ee7 When I visited that link I found it was showing the following error: Fatal error: Call to a member function...