Host Header Injection Vulnerability in phpBB by phpBB Group
CVE-2026-29199

Currently unrated

Key Information:

Vendor: PHPbb
Status: PHPbb
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-29199?

The phpBB platform, specifically versions prior to 3.3.16, is susceptible to a Host Header Injection vulnerability that can allow attackers to manipulate password reset links. When the server variable 'force_server_vars' is disabled, the vulnerability enables an attacker to extract the server's hostname from the HTTP Host header, leading to the creation of malicious password reset URLs. This potentially allows attackers to conduct phishing attacks by directing victims to an attacker-controlled domain, thereby compromising user accounts.

Affected Version(s)

phpBB 3.0.0 <= 3.3.15

References

https://hackerone.com/reports/3543246

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

SEONG HUN JEONG (HunSec)

CVE-2026-29199 Data

JSON

PHPbb

What is CVE-2026-29199?

Affected Version(s)

References

Timeline

Credit