CVE-2025-61132

Name of the Vulnerable Software and Affected Versions levlaz braindump version 0.4.14

Description A Host Header Injection flaw exists in the password reset functionality of the software. This allows remote attackers to manipulate the Host header during password reset link generation, specifically when Flask's url for( external=True) is used without a defined SERVER NAME. Successful exploitation can lead to password reset poisoning and subsequent account takeover. The vulnerable component is the password reset functionality. The url for() function is used to generate reset links.

Recommendations Versions prior to 0.4.14 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.