Common Weakness Enumeration

CWE-644

Allowed

Improper Neutralization of HTTP Headers for Scripting Syntax

Abstraction: Variant · Status: Incomplete

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

104 vulnerabilities reference this CWE, most recent first.

GHSA-X848-FC4R-XCW9

Vulnerability from github – Published: 2024-02-03 09:30 – Updated: 2024-02-03 09:30
VLAI
Details

A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-644"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-03T09:15:11Z",
    "severity": "HIGH"
  },
  "details": "A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header",
  "id": "GHSA-x848-fc4r-xcw9",
  "modified": "2024-02-03T09:30:18Z",
  "published": "2024-02-03T09:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1064"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/crafty-controller/crafty-4/-/issues/327"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XF4F-QJ26-72PF

Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-23 21:31
VLAI
Details

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-26747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-644"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-20T17:25:56Z",
    "severity": "CRITICAL"
  },
  "details": "A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the \"app.force_url\" is not set and default is \"false\". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,",
  "id": "GHSA-xf4f-qj26-72pf",
  "modified": "2026-02-23T21:31:24Z",
  "published": "2026-02-20T18:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26747"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/monicahq/monica"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XFJ2-W4FV-CG6J

Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-20 15:30
VLAI
Details

A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\hush-lib\hush\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER['HOST'] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-644"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-20T15:17:24Z",
    "severity": "MODERATE"
  },
  "details": "A weakness has been identified in jameschz Hush Framework 2.0. The impacted element is an unknown function of the file Hush\\hush-lib\\hush\\Util.php of the component HTTP Host Header Handler. This manipulation of the argument $_SERVER[\u0027HOST\u0027] causes improper neutralization of http headers for scripting syntax. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-xfj2-w4fv-cg6j",
  "modified": "2025-11-20T15:30:23Z",
  "published": "2025-11-20T15:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/hush.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.332978"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.332978"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.687568"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XHFX-HGMF-V6VP

Vulnerability from github – Published: 2021-03-10 21:07 – Updated: 2025-05-29 23:26
VLAI
Summary
October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers
Details

Impact

When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning: - https://portswigger.net/web-security/host-header - https://dzone.com/articles/what-is-a-host-header-attack

Patches

A feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.

Workarounds

  • Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 & https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.

  • Check that the configuration setting cms.linkPolicy is set to force.

Alternative Workaround

Check to make sure that your web server does not accept any hostname when serving your web application.

  1. Add an entry called testing.tld to your computer's host file and direct it to your server's IP address
  2. Open the address testing.tld in your web browser
  3. Make sure an October CMS website is not available at this address

If an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.

References

Reported by Abdullah Hussam

For More Information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat Assessment

Screen Shot 2021-01-15 at 4 12 57 PM

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-644"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-10T21:07:08Z",
    "nvd_published_at": "2021-03-10T22:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nWhen running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:\n- https://portswigger.net/web-security/host-header\n- https://dzone.com/articles/what-is-a-host-header-attack\n\n### Patches\n\nA feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.\n\n### Workarounds\n\n- Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 \u0026 https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.\n\n- Check that the configuration setting `cms.linkPolicy` is set to `force`.\n\n### Alternative Workaround\n\nCheck to make sure that your web server does not accept any hostname when serving your web application.\n\n1. Add an entry called `testing.tld` to your computer\u0027s host file and direct it to your server\u0027s IP address\n2. Open the address `testing.tld` in your web browser\n3. Make sure an October CMS website is not available at this address\n\nIf an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.\n\n### References\n\nReported by [Abdullah Hussam](https://github.com/ahussam)\n\n### For More Information\n\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\n\u003cimg width=\"1108\" alt=\"Screen Shot 2021-01-15 at 4 12 57 PM\" src=\"https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png\"\u003e",
  "id": "GHSA-xhfx-hgmf-v6vp",
  "modified": "2025-05-29T23:26:01Z",
  "published": "2021-03-10T21:07:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/october/backend"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers"
}

Mitigation
Architecture and Design

Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.

Mitigation
Architecture and Design

Disable script execution functionality in the clients' browser.

No CAPEC attack patterns related to this CWE.