CVE-2026-26747

Published: Feb 20, 2026

Modified: Feb 23, 2026

PUBLISHED

Description

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/monicahq/monica

https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-26747

Description

Affected Products

References