CVE-2026-29199

Published: May 4, 2026

Modified: May 4, 2026

PUBLISHED

Description

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

Vendor	Product	Versions
phpBB	phpBB	affected `3.0.0 - <= 3.3.15`

Weaknesses (CWE)

CWE-640

References

https://hackerone.com/reports/3543246

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-29199

Description

Affected Products

Weaknesses (CWE)

References