jameschz Hush Framework Host Header Injection Vulnerability in Util.php

Vulnerability

A host header injection vulnerability has been identified in jameschz Hush Framework version 2.0. The issue resides in the file Hush\hush-lib\hush\Util.php, within the HTTP Host Header Handler component. The vulnerability arises from the application directly using the HTTP Host header value from $_SERVER['HOST']' to generate URLs and output, without proper validation or sanitization. This flaw allows remote attackers to manipulate the Host header and inject malicious content, leading to various impacts such as web cache poisoning, open redirects, cross-site scripting, server-side request forgery, and manipulation of account-related links.

Impact

Exploitation of this vulnerability can lead to host header injection, allowing for improper neutralization of HTTP headers, which could be used to inject scripting syntax that is executed by the client's browser.

Added: Nov 20, 2025, 3:46 PM

Updated: Nov 20, 2025, 3:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

8.7

remediation

0.0

relevance

1.1

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

8.7

remediation

0.0

relevance

1.1

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

jameschz Hush Framework Host Header Injection Vulnerability in Util.php

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating