CVE-2026-43935
Host Header Injection in e107 CMS
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| e107inc | e107 | to 2.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-43935 is a Host Header Injection vulnerability in the e107 content management system's password reset page. Before version 2.3.4, attackers could manipulate the HTTP Host header in requests to generate password reset links that point to attacker-controlled domains.
This happens because the password reset functionality used the Host header without proper validation when constructing reset links. By injecting a malicious Host header, attackers can cause the system to send password reset emails containing links to phishing or malicious sites.
The vulnerability allows attackers to potentially perform phishing attacks, account takeover, or other security risks related to user authentication.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts including phishing attacks and account takeover.
- Attackers can manipulate password reset emails to contain links to malicious domains they control.
- Users may be tricked into clicking these malicious links, leading to credential theft or unauthorized access.
- The confidentiality and integrity of user accounts are at high risk due to this vulnerability.
Because the vulnerability affects a critical authentication function, it can undermine trust in the system and lead to significant security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves manipulation of the Host header in HTTP requests to the password reset page of the e107 CMS. Detection involves monitoring HTTP requests for unusual or unexpected Host header values, especially those that differ from the configured site URL.
You can detect attempts by capturing HTTP traffic to the password reset endpoint and inspecting the Host headers for suspicious or attacker-controlled domains.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the password reset page and examine Host headers.
- Example tcpdump command to capture HTTP requests to the password reset page (adjust interface and port as needed):
- tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /password_reset'
- Use web server logs (e.g., Apache or Nginx access logs) to search for password reset requests with unusual Host header values.
- Example grep command on web server logs to find suspicious Host headers:
- grep 'password_reset' /var/log/apache2/access.log | awk '{print $1, $7, $11}' | sort | uniq -c
Note that the vulnerability is due to the system using the Host header without proper validation, so any Host header that does not match the configured site URL or its subdomains should be considered suspicious.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the e107 CMS to version 2.3.4 or later, where this vulnerability is fixed.
The fix ensures that password reset links are generated using the configured site URL preference rather than the HTTP Host header, preventing Host Header Injection.
- Verify that the 'siteurl' preference in the e107 configuration is correctly set and starts with 'http', as enforced by the patch.
- If upgrading immediately is not possible, restrict access to the password reset page to trusted IPs or implement web application firewall (WAF) rules to block requests with suspicious Host headers.
- Monitor logs for any attempts to exploit the vulnerability and respond accordingly.
Do not rely on the HTTP Host header for generating password reset links until the system is patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Host Header Injection vulnerability in e107's password reset functionality allows attackers to generate password reset links pointing to attacker-controlled domains, which can lead to phishing attacks and account takeover.
Such security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and secure authentication mechanisms to prevent unauthorized access and data breaches.
Because this vulnerability affects a critical function related to user authentication and can compromise confidentiality and integrity of user accounts, it poses a risk to meeting these regulatory requirements.
The vulnerability is fixed in version 2.3.4 by ensuring password reset links are generated from a validated configured site URL rather than the HTTP Host header, mitigating the risk of phishing and account takeover.