Description
Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account.

This issue was fixed in version 1.4.6.
Published: 2026-03-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via password reset
Action: Immediate Patch
AI Analysis

Impact

Raytha CMS is vulnerable to header poisoning. An attacker can spoof the X-Forwarded-Host or Host headers to control the domain to which the system sends password‑reset emails. When a victim receives the email, the reset link points to the attacker‑controlled domain. Clicking that link causes the victim’s browser to send the password‑reset token to the attacker’s domain, where the attacker can capture it and reset the victim’s account, fully compromising the account. The flaw is a header‑poisoning weakness (CWE‑348) that allows remote abuse of the password‑reset mechanism.

Affected Systems

The affected vendor is Raytha for the product Raytha. Versions before 1.4.6 are vulnerable; the issue is fixed in Raytha 1.4.6 and later releases.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is below 1%, suggesting a currently low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack appears to be initiated via the web interface. An attacker must know or obtain a victim’s email address to trigger the password‑reset flow and rely on the victim clicking the forged link, after which the attacker can capture the token and take over the account.

Generated by OpenCVE AI on March 17, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Raytha CMS update to version 1.4.6 or later to eliminate the vulnerability
  • Verify that the deployed version matches the fixed release by checking the application version or contacting Raytha support

Generated by OpenCVE AI on March 17, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
CPEs cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*
Vendors & Products Raytha
Raytha raytha
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account. This issue was fixed in version 1.4.6.
Title Header Poisoning in Raytha CMS
Weaknesses CWE-348
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Raytha Raytha
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T13:49:56.666Z

Reserved: 2025-12-30T08:44:21.410Z

Link: CVE-2025-69240

cve-icon Vulnrichment

Updated: 2026-03-16T13:43:59.410Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:01.207

Modified: 2026-03-16T19:30:42.687

Link: CVE-2025-69240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:38Z

Weaknesses