CVE-2025-27913

Name of the Vulnerable Software and Affected Versions Passbolt API versions prior to 5

Description The issue arises when the server is misconfigured, specifically with an incorrect installation process and disregard of Health Check results. In such cases, the Passbolt API can send email messages with a domain name taken from an attacker-controlled HTTP Host header.

Recommendations For versions prior to 5, ensure proper server configuration, following the correct installation process and adhering to Health Check results to prevent exploitation. As a temporary workaround, consider restricting access to the email functionality until the issue is resolved.