High severity8.2NVD Advisory· Published Mar 16, 2026· Updated Apr 16, 2026

CVE-2026-32616

Description

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.

Affected products

Kasuganosoras/Pigeonreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/kasuganosoras/Pigeon/releases/tag/1.0.201nvd
github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcrnvd

News mentions

Unplug your way to better code
Cisco Talos Intelligence · May 7, 2026

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000