CVE-2026-29199
published 2026-05-04CVE-2026-29199: phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers…
PriorityP343high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.25%
16.1th percentile
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpbb | phpbb | < 3.3.16 | 3.3.16 |
| phpbb | phpbb | >= 3.0.0 < 3.3.16 | 3.3.16 |
| phpbb | phpbb | 3.0.0 – 3.3.15 | — |
| phpbb | phpbb | >= 4.0.0-a1 < 4.0.0-a2 | 4.0.0-a2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
phpBB up to 3.3.15 Header Validation force_server_vars password recovery
vuldb·2026-06-01·CVSS 8.1
CVE-2026-29199 [HIGH] phpBB up to 3.3.15 Header Validation force_server_vars password recovery
A vulnerability, which was classified as problematic, was found in phpBB up to 3.3.15. This issue affects the function force_server_vars of the component Header Validation Handler. The manipulation results in weak password recovery.
This vulnerability is identified as CVE-2026-29199. The attack can be executed remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
GHSA-7gm6-w7mx-58cr: phpBB before 3
ghsa_unreviewed·2026-05-04
CVE-2026-29199 [HIGH] CWE-640 GHSA-7gm6-w7mx-58cr: phpBB before 3
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
GHSA
phpBB has Password Reset Link Poisoning via Host Header injection
ghsa·2026-05-04
CVE-2026-29199 [HIGH] CWE-640 phpBB has Password Reset Link Poisoning via Host Header injection
phpBB has Password Reset Link Poisoning via Host Header injection
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published