CVE-2026-43935

EUVD-2026-31850

26.05.2026, 16:16

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/e107inc/e107/commit/04511f9f1d6e97c31ba7cc5bf7f1f9a19d221db6

https://github.com/e107inc/e107/commit/b0dee8234e273debbf7a8ae054de464f1008f357

https://github.com/e107inc/e107/commit/c4f9f71b0fd695545d0f09e2277b6f70ff4660fc

https://github.com/e107inc/e107/security/advisories/GHSA-7pmw-jwvr-cq2x