CVE-2025-27913

Low CVSS: 2.1

Passbolt API before 5, if the server is misconfigured (with an incorrect installation process and disregarding of Health Check results), can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

Vendor

Passbolt

Product

Passbolt Api

CWE

CWE-348

Yayın Tarihi

2025-03-10 20:15:14

Güncelleme

2025-06-19 00:14:38

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-348 Passbolt Api LOW Passbolt 2025

Referanslar

https://www.passbolt.com/incidents/host-header-injection