CVE-2025-27913

Published: Mar 10, 2025

Modified: Mar 11, 2025

PUBLISHED

Description

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

Vendor	Product	Versions
Passbolt	API	affected `0 - < 5`

Weaknesses (CWE)

CWE-348

References

https://www.passbolt.com/incidents/host-header-injection

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-27913

Description

Affected Products

Weaknesses (CWE)

References