QwikSec

Security Database

CVE

CWE

Training

CVE-2025-61136

Published: Oct 23, 2025

Modified: Oct 23, 2025

PUBLISHED

Description

A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

https://drive.google.com/file/d/15X5L1uEqgWOLrjKqm96cEPAWp2ph0zJp/view?usp=sharing

https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/routes_login.py#L188-L217

https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/utils_smtp.py#L191-L206

https://gist.github.com/BrookeYangRui/145e529b5fd4f56af299efde37edf4fa

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.