Host Header Injection in e107 CMS Affects User Authentication
CVE-2026-43935

8.1HIGH

Key Information:

Vendor

E107inc

Status
E107
Vendor
CVE Published:
26 May 2026

What is CVE-2026-43935?

The e107 content management system contains a vulnerability in its password reset functionality that allows attackers to exploit Host header values. Attackers can manipulate these headers to create password reset links directed towards malicious domains, enabling phishing attempts and the potential for unauthorized account access. This issue is prevalent in versions prior to 2.3.4 and poses a significant risk to user authentication mechanisms.

Affected Version(s)

e107 < 2.3.4

References

https://github.com/e107inc/e107/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/e107inc/e107/commit/04511f9f1d6e97c31b...
x_refsource_MISC
https://github.com/e107inc/e107/commit/b0dee8234e273debbf...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.