VYPR
← All advisories
High severity8.1NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-43935

CVE-2026-43935

Description

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

e107 CMS before 2.3.4 has a Host Header Injection in password reset allowing attackers to craft malicious reset links for phishing and account takeover.

Vulnerability

A Host Header Injection vulnerability exists in the password reset page (fpw.php) of e107 CMS versions prior to 2.3.4 [1]. The application uses the Host header from the HTTP request to generate password reset links without proper validation, allowing an attacker to inject a malicious domain [1]. The fix introduces a check on the siteurl preference and validates it against the Host header [2][3][4].

Exploitation

An attacker must be able to intercept or modify the HTTP request during the password reset process, typically through a man-in-the-middle position or by controlling a proxy [1]. The attacker changes the Host header to a domain they control, and the application then generates a password reset link containing that domain. This link is sent to the user's email, and if the user clicks it, they may visit the attacker's site where the reset token can be captured [1].

Impact

Successful exploitation allows an attacker to conduct phishing attacks, steal password reset tokens, and potentially take over user accounts [1]. The vulnerability is rated high severity as it compromises a critical authentication function.

Mitigation

The vulnerability is fixed in e107 version 2.3.4 [1]. Administrators should upgrade immediately. Additionally, ensure the siteurl preference is set in Admin → Preferences (see fix in [2]), and that the site enforces a consistent URL scheme (see [3] and [4] for improvements in Host header validation). No workaround is available other than patching [1].

References
  1. Host Header Injection in e107 password reset enables phishing
  2. fix(fpw): Refuse password reset when `siteurl` pref is empty · e107inc/e107@04511f9
  3. Issue #5458 Make sure configured siteurl preference contains 'http'. · e107inc/e107@b0dee82
  4. Issue #5458 - support subdomains · e107inc/e107@c4f9f71

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • E107/E107references2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.3.4

Patches

3
04511f9f1d6e

fix(fpw): Refuse password reset when `siteurl` pref is empty

https://github.com/e107inc/e107Nick LiuApr 23, 2026via nvd-ref
commit
2 files changed · +9 3
  • e107_languages/English/lan_fpw.php+1 2 modified
    @@ -52,5 +52,4 @@
 define("LAN_FPW_100", "Forgot your password?");
 define("LAN_FPW_101", "Not to worry. Just enter your email address below and we'll send you an email with instructions to get it back.");
 define("LAN_FPW_102", "Reset Password");
-
-
+define("LAN_FPW_MISCONFIGURED", "Password reset is currently unavailable due to a site configuration issue. Please contact the site administrator.");
  • fpw.php+8 1 modified
    @@ -83,6 +83,13 @@ function fpw_error($txt)
 	exit;
 }
 
+$fpw_siteurl = e107::getPref('siteurl');
+if (empty($fpw_siteurl))
+{
+	error_log('fpw.php: Password reset blocked because the "siteurl" preference is not set. Configure it in Admin → Preferences.');
+	fpw_error(LAN_FPW_MISCONFIGURED);
+}
+
 //the separator character used
 define('FPW_SEPARATOR', '#');
 //$fpw_sep = '#';
@@ -256,7 +263,7 @@ function fpw_error($txt)
 	//	$rcode 		= crypt(($_SERVER['HTTP_USER_AGENT'] . serialize($pref). $clean_email . $datekey), e_TOKEN);
 
 		// Prepare email
-		$link 		= SITEURL.'fpw.php?'.$rcode;
+		$link 		= rtrim($fpw_siteurl, '/').'/fpw.php?'.$rcode;
 		$message 	= LAN_FPW5.' '.SITENAME.' '.LAN_FPW14.': '.e107::getIPHandler()->getIP(TRUE).".\n\n".LAN_FPW15."\n\n".LAN_FPW16."\n\n".LAN_FPW17."\n\n{$link}";
 
 		// Set timestamp two days ahead so it doesn't get auto-deleted
c4f9f71b0fd6

Issue #5458 - support subdomains

https://github.com/e107inc/e107camer0nMar 30, 2025via nvd-ref
commit
1 file changed · +2 1
  • e107_handlers/e107_class.php+2 1 modified
    @@ -5525,13 +5525,14 @@ public function inAdminDir($e107Path, $curPage, $isPluginDir)
 	public function set_urls_deferred()
 	{
 		$siteurl = self::getPref('siteurl');
+		$configured_host = parse_url($siteurl, PHP_URL_HOST);
 
 		if(self::isCli())
 		{
 			define('SITEURL', $siteurl);
 			define('SITEURLBASE', rtrim(SITEURL,'/'));
 		}
-		elseif(strpos($siteurl,'http')!== false && strpos($siteurl, $_SERVER['HTTP_HOST'])===false)
+		elseif(!empty($configured_host) && strpos($siteurl,'http')!== false && $configured_host !== $_SERVER['HTTP_HOST'] && substr($_SERVER['HTTP_HOST'], - strlen('.' . $configured_host)) !== ('.' . $configured_host))
 		{
 			die('Site Configuration Issue Detected. Please contact your webmaster.');
 			error_log('The configured siteurl in your preferences does not match the HTTP_HOST: '.$_SERVER['HTTP_HOST']);
b0dee8234e27

Issue #5458 Make sure configured siteurl preference contains 'http'.

https://github.com/e107inc/e107camer0nMar 30, 2025via nvd-ref
commit
2 files changed · +9 2
  • e107_admin/prefs.php+1 1 modified
    @@ -362,7 +362,7 @@ function sendTest()
 						<td><label for='siteurl'>".PRFLAN_3."</label>
 						".($pref['siteurl'] == SITEURL ? "" : $frm->help(PRFLAN_159.": <strong>".SITEURL."</strong>"))."</td>
 						<td>
-							".$frm->text('siteurl', $pref['siteurl'], 150, 'size=xxlarge')."
+							".$frm->text('siteurl', $pref['siteurl'], 150, ['size'=>'xxlarge', 'required'=>1, 'pattern' => '^http.*', 'placeholder'=>'eg. '.SITEURL])."
 						</td>
 					</tr>
 					<tr>
  • e107_handlers/e107_class.php+8 1 modified
    @@ -5524,11 +5524,18 @@ public function inAdminDir($e107Path, $curPage, $isPluginDir)
 	 */
 	public function set_urls_deferred()
 	{
+		$siteurl = self::getPref('siteurl');
+
 		if(self::isCli())
 		{
-			define('SITEURL', self::getPref('siteurl'));
+			define('SITEURL', $siteurl);
 			define('SITEURLBASE', rtrim(SITEURL,'/'));
 		}
+		elseif(strpos($siteurl,'http')!== false && strpos($siteurl, $_SERVER['HTTP_HOST'])===false)
+		{
+			die('Site Configuration Issue Detected. Please contact your webmaster.');
+			error_log('The configured siteurl in your preferences does not match the HTTP_HOST: '.$_SERVER['HTTP_HOST']);
+		}
 		else
 		{
 			define('SITEURLBASE', $this->HTTP_SCHEME.'://'. filter_var($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL));

Vulnerability mechanics

Root cause

"Missing validation of the HTTP Host header when generating password reset links allows an attacker to inject a malicious domain."

Attack vector

An attacker intercepts or crafts a password reset HTTP request (POST to `/reset-password` or `fpw.php`) and modifies the `Host` header to point to an attacker-controlled domain [ref_id=1]. The application uses the unvalidated `Host` header to generate the password reset link, which is then emailed to the legitimate user [ref_id=1]. If the user clicks the link, they are taken to the attacker's domain, where credentials or the reset token can be harvested, leading to account takeover [ref_id=1]. No authentication is required; the attacker only needs to know a valid email address registered on the site [ref_id=1].

Affected code

The vulnerability resides in `fpw.php`, the password reset page. The original code used the `SITEURL` constant (which can be derived from the `HTTP_HOST` header) to build the password reset link sent via email [ref_id=1][ref_id=2]. The core URL bootstrap in `set_urls_deferred()` also lacked validation of the `Host` header against the configured `siteurl` preference [ref_id=3][ref_id=4].

What the fix does

Patch [patch_id=2563974] modifies `fpw.php` to read the `siteurl` preference directly via `e107::getPref('siteurl')` and refuses to run if that preference is empty, then uses the configured value instead of the `SITEURL` constant to build the reset link [ref_id=2]. Patches [patch_id=2563975] and [patch_id=2563976] add validation in `set_urls_deferred()`: the bootstrap now compares the `Host` header against the configured `siteurl` (with subdomain support) and terminates with a "Site Configuration Issue" message on mismatch [ref_id=3][ref_id=4]. Together these changes ensure password reset links are always generated from the administrator-configured domain, not from an attacker-supplied `Host` header.

Preconditions

  • inputAttacker must know a valid email address registered on the e107 site
  • networkAttacker must be able to intercept or modify the HTTP request (e.g., via a proxy tool like Burp Suite) to change the Host header
  • authNo authentication required; the password reset page is publicly accessible

Reproduction

Navigate to the password reset page (`http://localhost/fpw.php`) and initiate a password reset request by entering a valid email address [ref_id=1]. Use a proxy tool (e.g., Burp Suite) to intercept the outgoing HTTP request and change the value of the `Host` header to a malicious domain (e.g., `Host: example.com`) [ref_id=1]. Check the email sent to the user and observe that the password reset link domain is the attacker-controlled malicious domain [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.