CVE-2026-32616

Name of the Vulnerable Software and Affected Versions Pigeon versions prior to 1.0.201

Description Pigeon is a message board/notepad/social system/blog. The application uses $ SERVER['HTTP HOST'] without validation when constructing email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in an HTTP request, causing the verification link sent to a user’s email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. The vulnerable component uses the $ SERVER['HTTP HOST'] variable to construct the email verification URL.

Recommendations Update Pigeon to version 1.0.201 or later.