Cyber Resilience

CVE-2026-26747

CriticalPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0039 30.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26747 is a critical-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Monicahq Monica. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26747 is a Host Header Poisoning vulnerability in Monica 4.1.2, stemming from improper handling of the HTTP Host header in the file app/Providers/AppServiceProvider.php. This issue is compounded by the default misconfiguration where the "app.force_url" setting is not defined and defaults to "false", causing the application to generate absolute URLs—such as those embedded in password reset emails—directly from the user-supplied Host header.

Remote attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high impacts on confidentiality (C:H) and integrity (I:H) without affecting availability (A:N). The CVSS v3.1 base score is 9.1, mapped to CWE-644. By poisoning the Host header in requests that trigger password reset emails, attackers can manipulate the links sent to victims, enabling account takeover or phishing via redirected reset URLs.

Mitigation details and further analysis are documented in the referenced advisory at https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md, with the affected Monica repository available at https://github.com/monicahq/monica.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs…

more

(such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Host header poisoning in public-facing web app (Monica) directly enables T1190 exploitation to generate malicious password-reset URLs; this facilitates T1566.002 by delivering attacker-controlled reset links via email for account takeover/phishing.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54996Same product: Monicahq Monica
CVE-2025-70948Shared CWE-644
CVE-2025-64425Shared CWE-644
CVE-2026-33149Shared CWE-644
CVE-2026-26234Shared CWE-644
CVE-2025-52660Shared CWE-644
CVE-2026-48126Shared CWE-644

Affected Assets

monicahq
monica
4.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and remediation of software flaws, directly addressing the improper Host header handling in app/Providers/AppServiceProvider.php for this CVE.

prevent

CM-6 enforces secure configuration settings like setting 'app.force_url' to a trusted value, preventing the application from generating absolute URLs from user-supplied Host headers.

prevent

SI-10 mandates information input validation at entry points, such as validating the HTTP Host header against expected domains to block poisoning attempts.

References