Skip to main content

Pigeon CVE-2026-32616

| EUVDEUVD-2026-12133 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-13 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 16, 2026 - 15:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:22 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.0.201
EUVD ID Assigned
Mar 13, 2026 - 22:01 euvd
EUVD-2026-12133
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:12 nvd
HIGH 8.2

DescriptionGitHub Advisory

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.

AnalysisAI

Host header injection vulnerability in Pigeon (a message board/blog system) versions prior to 1.0.201 that allows attackers to manipulate email verification URLs, potentially leading to account takeover. The vulnerability has a high CVSS score of 8.2 but requires user interaction (clicking a malicious link), and there is no indication of active exploitation in the wild or inclusion in CISA KEV.

Technical ContextAI

The vulnerability affects Pigeon (CPE: cpe:2.3:a:kasuganosoras:pigeon:*:*:*:*:*:*:*:*), an open-source message board/notepad/social system/blog application. The root cause is improper input validation (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) where the application directly uses $_SERVER['HTTP_HOST'] without sanitization when constructing email verification URLs in the register and resendmail flows. This allows attackers to inject arbitrary Host headers in HTTP requests, causing the application to generate verification emails with attacker-controlled domains.

RemediationAI

Update Pigeon to version 1.0.201 or later, which contains the fix for this vulnerability. The patch is available at https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201. For detailed security information, refer to the GitHub Security Advisory at https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr. As a temporary mitigation, consider implementing server-side validation of the Host header or using a fixed domain for email verification URLs instead of relying on HTTP_HOST.

Share

CVE-2026-32616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy