Email Verification URL Vulnerability in Pigeon by Kasuganosora
CVE-2026-32616

8.2HIGH

Key Information:

Vendor: Kasuganosoras
Status: Pigeon
Vendor: CVE Published:; 13 March 2026

🔔 Create Kasuganosoras Vulnerability Alert

What is CVE-2026-32616?

The Pigeon application, a message board and social system platform, is vulnerable to Host header injection due to improper validation of the $_SERVER['HTTP_HOST'] variable. This flaw allows an attacker to manipulate the Host header in HTTP requests, leading to the creation of malicious email verification links. Consequently, these links can direct users to an attacker-controlled domain, enabling them to hijack user accounts by stealing verification tokens. The issue has been addressed in version 1.0.201.

Affected Version(s)

Pigeon < 1.0.201

References

https://github.com/kasuganosoras/Pigeon/security/advisori...

x_refsource_CONFIRM

https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 12, 2026

CVE-2026-32616 Data

JSON