CVE-2026-43935

HIGH 8.1

e107: Host Header Injection in e107 password reset enables phishing

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4.

CWE	CWE-20 CWE-807
Vendor	e107inc
Product	e107
Published	May 26, 2026
Last Updated	May 26, 2026

Stay Ahead of the Next One

Get instant alerts for e107inc e107

Be the first to know when new high vulnerabilities affecting e107inc e107 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

e107inc / e107

< 2.3.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/e107inc/e107/security/advisories/GHSA-7pmw-jwvr-cq2x github.com: https://github.com/e107inc/e107/commit/04511f9f1d6e97c31ba7cc5bf7f1f9a19d221db6 github.com: https://github.com/e107inc/e107/commit/b0dee8234e273debbf7a8ae054de464f1008f357 github.com: https://github.com/e107inc/e107/commit/c4f9f71b0fd695545d0f09e2277b6f70ff4660fc