Cyber Resilience

CVE-2026-29199

High

Published: 04 May 2026

Published
04 May 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0025 16.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29199 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Phpbb Phpbb. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29199 is a Host Header Injection vulnerability in phpBB versions before 3.3.16 that enables password reset link poisoning. When the force_server_vars configuration option is disabled, the application's code extracts the server's hostname from the HTTP Host header to construct password reset link URLs sent via email. This allows manipulation of the generated links if the header is not properly validated or sanitized by the web server.

Attackers can exploit this vulnerability over the network with low complexity and no required privileges, provided they can control the Host header in requests, such as through misconfigured virtual host setups or absent web server header validation. By doing so, they can poison password reset emails to point to a domain under their control. If a targeted user interacts with the malicious link (e.g., by clicking it to reset their password), the attacker can achieve high confidentiality and integrity impacts, potentially resulting in account takeover. The issue is scored at CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-640.

phpBB versions 3.3.16 and later address this vulnerability. Additional details are available in the originating HackerOne report at https://hackerone.com/reports/3543246.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset…

more

link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remotely exploitable vulnerability in a public-facing web application (phpBB) that is abused via crafted Host headers to poison password reset links and achieve account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70810Same product: Phpbb Phpbb
CVE-2022-50910Shared CWE-640
CVE-2026-42606Shared CWE-640
CVE-2026-25858Shared CWE-640
CVE-2026-40585Shared CWE-640
CVE-2025-63314Shared CWE-640
CVE-2026-1325Shared CWE-640
CVE-2020-37172Shared CWE-640
CVE-2024-11350Shared CWE-640
CVE-2026-33707Shared CWE-640

Affected Assets

phpbb
phpbb
≤ 3.3.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific Host Header Injection flaw in phpBB by requiring timely patching to version 3.3.16 or later, preventing extraction of hostname from untrusted Host header for password reset links.

prevent

Requires validation of the HTTP Host header input to prevent injection and poisoning of password reset link URLs in phpBB.

prevent

Ensures secure configuration settings such as enabling force_server_vars in phpBB or web server validation of Host headers to block manipulation.

References