{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26747", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-23T20:37:29.313Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:43:05.241Z"}, "descriptions": [{"lang": "en", "value": "A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the \"app.force_url\" is not set and default is \"false\". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/monicahq/monica"}, {"url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-644", "lang": "en", "description": "CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T20:36:32.643937Z", "id": "CVE-2026-26747", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:37:29.313Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26747", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T20:36:32.643937Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-644", "description": "CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T20:35:16.038Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/monicahq/monica"}, {"url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md"}], "descriptions": [{"lang": "en", "value": "A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the \"app.force_url\" is not set and default is \"false\". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-20T16:43:05.241Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26747", "state": "PUBLISHED", "dateUpdated": "2026-02-23T20:37:29.313Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:monicahq:monica:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "9B4E9530-0DB5-4B0C-BF09-3BCD409A20F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the \"app.force_url\" is not set and default is \"false\". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,"}, {"lang": "es", "value": "Una vulnerabilidad de envenenamiento de encabezado Host existe en Monica 4.1.2 debido a un manejo inadecuado del encabezado HTTP Host en app/Providers/AppServiceProvider.php, combinado con la configuraci\u00f3n err\u00f3nea predeterminada donde 'app.force_url' no est\u00e1 configurado y su valor predeterminado es 'false'. La aplicaci\u00f3n genera URLs absolutas (como las utilizadas en los correos electr\u00f3nicos de restablecimiento de contrase\u00f1a) utilizando el encabezado Host proporcionado por el usuario. Esto permite a atacantes remotos envenenar el enlace de restablecimiento de contrase\u00f1a enviado a una v\u00edctima."}], "id": "CVE-2026-26747", "lastModified": "2026-02-26T02:42:23.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T17:25:56.023", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/monicahq/monica"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-644"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.1.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "monica", "vendor": "monicahq"}], "analysis": {"en": {"generated_at": "2026-04-18T11:37:35.900589+00:00", "value": {"mitigation_remediation": ["Upgrade Monica to a version where the Host header validation is fixed", "Set the app.force_url configuration value in .env to your trusted domain to override the user\u2011supplied Host header", "If an upgrade or configuration change is not immediately possible, restrict the password\u2011reset endpoint to only serve requests from a pre\u2011defined list of approved origins or disable the feature until patched"], "summary": {"action": "Patch Immediately", "impact": "Credential theft via forged password reset links"}, "threat_synthesis": {"affected_systems": "The flaw affects the open\u2011source CRM product Monica version 4.1.2. The affected package is identified by cpe:2.3:a:monicahq:monica:4.1.2. No other versions or products are listed. Operators running that specific release should verify whether a newer safe release is available.", "description_and_impact": "The vulnerability arises from Monica\u2019s careless use of the HTTP Host header when generating absolute URLs in app/Providers/AppServiceProvider.php. Because the default configuration has app.force_url set to false, the framework accepts the client\u2011supplied Host header and inserts it into all generated URLs, including those that appear in password\u2011reset emails. A remote attacker can send a request with a malicious Host header, causing the password\u2011reset link to contain an attacker\u2011controlled domain. The victim, unwittingly clicking the link, can be redirected to a phishing site or have their credentials harvested. This flaw permits the attacker to gain unauthorized access to user accounts without needing to exploit additional vulnerabilities.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity. The EPSS score of less than 1% signifies that, at present, the likelihood of exploitation is low, and the issue is not referenced in the CISA Known Exploited Vulnerabilities database. Nonetheless, this flaw can be exploited by a remote attacker over the network by supplying a malicious Host header when initiating a password\u2011reset request. The attacker does not need privileged access or to compromise the underlying operating system; the attack simply redirects the victim to a spoofed domain where credentials can be phished."}}}}, "created": "2026-02-23T14:47:23.587963+00:00", "title": "Host Header Poisoning in Monica 4.1.2 Enables Phished Password Reset Links", "updated": "2026-04-18T11:45:44.592495+00:00", "vendors": ["monicahq", "monicahq$PRODUCT$monica"]}