Description
Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
Published: 2026-03-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Host Header Injection
Action: Patch
AI Analysis

Impact

Pigeon uses the HTTP Host header without validation when creating email verification URLs in the register and resendmail flows. An attacker can inject a malicious Host header in a request, causing the verification link that is emailed to the user to point to an attacker-controlled domain. When the victim clicks the link, the attacker can capture the verification token and complete the account takeover. This flaw is a classic Host Header Injection, classified as CWE-74.

Affected Systems

The vulnerability affects the Pigeon message board/notepad/system from kasuganosoras. Any deployment of Pigeon with a version prior to 1.0.201 is susceptible. Version 1.0.201 and later contain the fix. No other products are listed.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity and the flaw is exploitable remotely via a crafted HTTP request. However, the EPSS score is below 1%, suggesting that the likelihood of exploitation is low and it is not yet listed in the KEV catalog. The risk remains significant for systems that have not been upgraded because an attacker who can forge the Host header can obtain an email verification token and take over legitimate user accounts.

Generated by OpenCVE AI on March 19, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pigeon to version 1.0.201 or newer to eliminate the Host Header Injection flaw.

Generated by OpenCVE AI on March 19, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Kasuganosoras
Kasuganosoras pigeon
Vendors & Products Kasuganosoras
Kasuganosoras pigeon

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
Title Pigeon has a Host Header Injection in email verification flow
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Kasuganosoras Pigeon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T16:46:32.353Z

Reserved: 2026-03-12T14:54:24.271Z

Link: CVE-2026-32616

cve-icon Vulnrichment

Updated: 2026-03-16T16:46:29.485Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:19:39.393

Modified: 2026-04-16T14:57:08.337

Link: CVE-2026-32616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:24Z

Weaknesses