CVE-2025-61543

Name of the Vulnerable Software and Affected Versions CraftMyCMS version 4.0.2.2

Description A Host Header Injection issue exists in the password reset functionality. The system directly uses $ SERVER['HTTP HOST'] to create password reset links sent through email. An attacker can manipulate the Host header to send malicious reset links, potentially leading to phishing attacks or account takeover. The vulnerable parameter is $ SERVER['HTTP HOST'].

Recommendations Apply a fix that properly sanitizes or encodes the $ SERVER['HTTP HOST'] variable before using it to construct password reset links.