EUVD-2026-12133CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
3Description
Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
Analysis
Host header injection vulnerability in Pigeon (a message board/blog system) versions prior to 1.0.201 that allows attackers to manipulate email verification URLs, potentially leading to account takeover. The vulnerability has a high CVSS score of 8.2 but requires user interaction (clicking a malicious link), and there is no indication of active exploitation in the wild or inclusion in CISA KEV.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Pigeon installations and document their versions; notify users of the risk and advise against clicking verification links from untrusted sources. Within 7 days: Implement WAF rules to detect and block suspicious host header values; consider disabling email verification features if not critical. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today