Host Header Injection Vulnerability in phpBB by phpBB Group
CVE-2026-29199

8.1HIGH

Key Information:

Vendor: PHPbb
Status: PHPbb
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-29199?

The phpBB platform, specifically versions prior to 3.3.16, is susceptible to a Host Header Injection vulnerability that can allow attackers to manipulate password reset links. When the server variable 'force_server_vars' is disabled, the vulnerability enables an attacker to extract the server's hostname from the HTTP Host header, leading to the creation of malicious password reset URLs. This potentially allows attackers to conduct phishing attacks by directing victims to an attacker-controlled domain, thereby compromising user accounts.

Affected Version(s)

phpBB 3.0.0 <= 3.3.15

References

https://hackerone.com/reports/3543246

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

SEONG HUN JEONG (HunSec)

CVE-2026-29199 Data

JSON

PHPbb

What is CVE-2026-29199?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit