VYPR

Vulnerability Research

by Bugdotexe

CVEs (1)

  • CVE-2025-61536HigOct 16, 2025
    risk 0.53cvss 8.2epss 0.00

    FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header…