CVE-2026-32616
Published: 16 March 2026
Summary
CVE-2026-32616 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validating untrusted inputs like the HTTP Host header to ensure consistency with expected values before using them to construct email verification URLs, directly preventing host header injection.
Mandates timely flaw remediation, such as patching Pigeon to version 1.0.201 or later, which fixes the unvalidated $_SERVER['HTTP_HOST'] usage in register and resendmail flows.
Enforces boundary protection mechanisms like web application firewalls or proxies to inspect and validate HTTP Host headers, blocking forged values used in email URL construction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Host header injection in public-facing web app directly enables remote exploitation (T1190) resulting in account takeover via malicious verification links and token replay (T1078).
NVD Description
Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification…
more
link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
Deeper analysisAI
CVE-2026-32616 is a Host header injection vulnerability (CWE-74) in Pigeon, an open-source message board, notepad, social system, and blog application. Versions prior to 1.0.201 use the unvalidated $_SERVER['HTTP_HOST'] value from incoming HTTP requests to construct email verification URLs in the register and resendmail flows. This flaw, published on 2026-03-16, carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).
Any unauthenticated attacker with network access can exploit this by submitting a register or resendmail request to the vulnerable Pigeon instance with a forged Host header pointing to a domain under their control. The server then emails a verification link using the attacker's domain (e.g., https://attacker.com/verify?token=...), which is delivered to the target user's email address. If the user interacts with the link (UI:R), the attacker captures the verification token and replays it against the legitimate server to complete account verification, resulting in account takeover with high confidentiality impact.
The issue is addressed in Pigeon version 1.0.201. Administrators should upgrade to this release or later to mitigate the vulnerability. Additional details are available in the GitHub security advisory (https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr) and release notes (https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201).
Details
- CWE(s)