Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
AnalysisAI
Host header injection vulnerability in Pigeon (a message board/blog system) versions prior to 1.0.201 that allows attackers to manipulate email verification URLs, potentially leading to account takeover. The vulnerability has a high CVSS score of 8.2 but requires user interaction (clicking a malicious link), and there is no indication of active exploitation in the wild or inclusion in CISA KEV.
Technical ContextAI
The vulnerability affects Pigeon (CPE: cpe:2.3:a:kasuganosoras:pigeon:*:*:*:*:*:*:*:*), an open-source message board/notepad/social system/blog application. The root cause is improper input validation (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) where the application directly uses $_SERVER['HTTP_HOST'] without sanitization when constructing email verification URLs in the register and resendmail flows. This allows attackers to inject arbitrary Host headers in HTTP requests, causing the application to generate verification emails with attacker-controlled domains.
RemediationAI
Update Pigeon to version 1.0.201 or later, which contains the fix for this vulnerability. The patch is available at https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201. For detailed security information, refer to the GitHub Security Advisory at https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr. As a temporary mitigation, consider implementing server-side validation of the Host header or using a fixed domain for email verification URLs instead of relying on HTTP_HOST.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12133