JUNG Smart Visu Server 1.1.1050 is vulnerable to request header manipulation, allowing an attacker to inject arbitrary values into the X-Forwarded-Host header. This improper neutralization permits the attacker to override the intended request URL. The result is that the server will forward the request to a user-supplied host, potentially delivering tainted content, triggering cache-poisoned responses, or redirecting clients to malicious domains. The vulnerability is not limited to authenticated users; any entity that can send HTTP requests to the server may exploit it, providing a path to phishing or cache-based attacks.

The affected product is Jung Smart Visu Server from Albrecht Jung GmbH & Co. KG. The CVE references version 1.1.1050 of the server software and the corresponding firmware bundle. Systems running this exact firmware release are impacted unless a later, patched release is deployed. No other product versions were explicitly listed in the advisory.

The CVSS base score of 8.7 classifies the vulnerability as High. EPSS indicates a sub-1% chance of exploitation, suggesting it is low-probability, but the lack of a KEV listing implies it is currently unconfirmed or not widely exploited. Attackers can exploit the flaw by sending crafted HTTP requests containing a malicious X-Forwarded-Host value, which does not require authentication or privileged access. Successful exploitation allows an attacker to control the target host presented to downstream systems and end users, enabling cache poisoning, phishing, and arbitrary user redirection.