CVE-2025-63828

Name of the Vulnerable Software and Affected Versions Backdrop CMS version 1.32.1

Description A Host Header Injection flaw exists in Backdrop CMS. This issue allows attackers to manipulate the Host header within password reset requests. Successful exploitation can lead to redirection to malicious domains and potential session hijacking through cookie injection. The vulnerability impacts the handling of the Host header during password reset functionality.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider implementing strict Host header validation to prevent manipulation of the Host header.