CVE-2026-43935
Deferred Deferred - Pending Action
Host Header Injection in e107 CMS

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: GitHub, Inc.

Description
e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43935
EUVD
EUVD-2026-31850
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
e107inc e107 to 2.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43935 is a Host Header Injection vulnerability in the e107 content management system's password reset page. Before version 2.3.4, attackers could manipulate the HTTP Host header in requests to generate password reset links that point to attacker-controlled domains.

This happens because the password reset functionality used the Host header without proper validation when constructing reset links. By injecting a malicious Host header, attackers can cause the system to send password reset emails containing links to phishing or malicious sites.

The vulnerability allows attackers to potentially perform phishing attacks, account takeover, or other security risks related to user authentication.

Impact Analysis

This vulnerability can have serious security impacts including phishing attacks and account takeover.

  • Attackers can manipulate password reset emails to contain links to malicious domains they control.
  • Users may be tricked into clicking these malicious links, leading to credential theft or unauthorized access.
  • The confidentiality and integrity of user accounts are at high risk due to this vulnerability.

Because the vulnerability affects a critical authentication function, it can undermine trust in the system and lead to significant security breaches.

Detection Guidance

This vulnerability involves manipulation of the Host header in HTTP requests to the password reset page of the e107 CMS. Detection involves monitoring HTTP requests for unusual or unexpected Host header values, especially those that differ from the configured site URL.

You can detect attempts by capturing HTTP traffic to the password reset endpoint and inspecting the Host headers for suspicious or attacker-controlled domains.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the password reset page and examine Host headers.
  • Example tcpdump command to capture HTTP requests to the password reset page (adjust interface and port as needed):
  • tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /password_reset'
  • Use web server logs (e.g., Apache or Nginx access logs) to search for password reset requests with unusual Host header values.
  • Example grep command on web server logs to find suspicious Host headers:
  • grep 'password_reset' /var/log/apache2/access.log | awk '{print $1, $7, $11}' | sort | uniq -c

Note that the vulnerability is due to the system using the Host header without proper validation, so any Host header that does not match the configured site URL or its subdomains should be considered suspicious.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the e107 CMS to version 2.3.4 or later, where this vulnerability is fixed.

The fix ensures that password reset links are generated using the configured site URL preference rather than the HTTP Host header, preventing Host Header Injection.

  • Verify that the 'siteurl' preference in the e107 configuration is correctly set and starts with 'http', as enforced by the patch.
  • If upgrading immediately is not possible, restrict access to the password reset page to trusted IPs or implement web application firewall (WAF) rules to block requests with suspicious Host headers.
  • Monitor logs for any attempts to exploit the vulnerability and respond accordingly.

Do not rely on the HTTP Host header for generating password reset links until the system is patched.

Compliance Impact

The Host Header Injection vulnerability in e107's password reset functionality allows attackers to generate password reset links pointing to attacker-controlled domains, which can lead to phishing attacks and account takeover.

Such security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of user data and secure authentication mechanisms to prevent unauthorized access and data breaches.

Because this vulnerability affects a critical function related to user authentication and can compromise confidentiality and integrity of user accounts, it poses a risk to meeting these regulatory requirements.

The vulnerability is fixed in version 2.3.4 by ensuring password reset links are generated from a validated configured site URL rather than the HTTP Host header, mitigating the risk of phishing and account takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart