CVE-2026-26747

Name of the Vulnerable Software and Affected Versions Monica version 4.1.2

Description A Host Header Poisoning issue exists due to improper handling of the HTTP Host header in the file app/Providers/AppServiceProvider.php. This is combined with a default misconfiguration where app.force url is not set, defaulting to "false". The application constructs absolute URLs, including those in password reset emails, using the user-supplied Host header. This allows attackers to manipulate the password reset link sent to a victim.

Recommendations Update to a newer version that contains a fix for this vulnerability.