phpBB Host Header Injection Vulnerability Leading to Password Reset Link Poisoning

Vulnerability

A host header injection vulnerability has been identified in phpBB versions prior to 3.3.16. This vulnerability can lead to password reset link poisoning. When the 'force_server_vars' option is disabled, the server's hostname may be derived from the HTTP Host header. This header is used to create the password reset link URL. An attacker who can manipulate the Host header, possibly through a misconfigured host setup or inadequate header validation by the web server, could make password reset emails include a link to an attacker-controlled domain, potentially allowing for account takeover.

Impact

Exploitation of this vulnerability could result in unauthorized account access through manipulated password reset links.

Added: May 4, 2026, 7:36 AM

Updated: May 4, 2026, 7:36 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

7.2

remediation

0.0

relevance

7.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

7.2

remediation

0.0

relevance

7.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

phpBB Host Header Injection Vulnerability Leading to Password Reset Link Poisoning

Vulnerability

Impact

Affected Products

phpBB

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating