Medium severity6.5NVD Advisory· Published Oct 31, 2016· Updated May 6, 2026

CVE-2016-7965

Description

DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead of the baseurl setting as part of the password-reset URL. This can lead to phishing attacks. (A remote unauthenticated attacker can change the URL's hostname via the HTTP Host header.) The vulnerability can be triggered only if the Host header is not part of the web server routing process (e.g., if several domains are served by the same web server).

Affected products

Dokuwiki/Dokuwiki
cpe:2.3:a:dokuwiki:dokuwiki:*:*:*:*:*:*:*:*
Range: <=2016-06-26a

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/splitbrain/dokuwiki/issues/1709nvdExploitVendor Advisory
www.securityfocus.com/bid/94237nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000