MeldSecurity
Press Enter to search
CVE Database & Search →
Sign In Get Started

CVE-2026-26747

🚨 CRITICAL

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where...

Published
Feb 20, 2026
Last Modified
Feb 26, 2026
Views
7
Bookmarks
0

Description

Request Expert Review

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,

Affected Products (1)

monicahq - monica

Version: 4.1.2

CVSS Scores

CVSS 3.1 9.1
9.1
CRITICAL
CVSS 2.0 9.1

References

github.com github.com

Additional Information

Source
cve@mitre.org
State
Analyzed

Related CVEs

CVE-2026-4111

HIGH

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path....

Score: 7.5

CVE-2026-4105

MEDIUM

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the clas...

Score: 6.7

CVE-2026-4063

MEDIUM

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in th...

Score: 4.3

CVE-2026-3986

MEDIUM

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and includin...

Score: 6.4

CVE-2026-3910

HIGH

Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a...

Score: 8.8

CVE-2026-3909

HIGH

Out of bounds write in Skia in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to perform out of bounds memory access via a crafted HTM...

Score: 8.8

Share CVE-2026-26747

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2026-26747 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis