Vulnerability DatabaseCVE-2026-43935
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-43935
Published:May 26, 2026
Updated:June 11, 2026
e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4.
Affected Packages
https://github.com/e107inc/e107.git (GITHUB):
Affected version(s) >=v0.5.4 <v2.3.4
Fix Suggestion:
Update to version v2.3.4
Related Resources (4)
https://github.com/e107inc/e107/commit/04511f9f1d6e97c31ba7cc5bf7f1f9a19d221db6
https://github.com/e107inc/e107/commit/b0dee8234e273debbf7a8ae054de464f1008f357
https://github.com/e107inc/e107/commit/c4f9f71b0fd695545d0f09e2277b6f70ff4660fc
https://github.com/e107inc/e107/security/advisories/GHSA-7pmw-jwvr-cq2x
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Input Validation
CWE-20
Reliance on Untrusted Inputs in a Security Decision
CWE-807
EPSS
Base Score:
0.15