High severity7.1NVD Advisory· Published Oct 16, 2025· Updated Apr 15, 2026
CVE-2025-61543
CVE-2025-61543
Description
A Host Header Injection vulnerability exists in the password reset functionality of CraftMyCMS 4.0.2.2. The system uses $_SERVER['HTTP_HOST'] directly to construct password reset links sent via email. An attacker can manipulate the Host header to send malicious reset links, enabling phishing attacks or account takeover.
Affected products
1- Range: <= 4.0.2.2
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.