CVE-2026-29199

Name of the Vulnerable Software and Affected Versions phpBB versions prior to 3.3.16

Description Host Header Injection occurs when force server vars is disabled, allowing the server's hostname to be extracted from the HTTP Host header to generate password reset link URLs. An attacker capable of manipulating the Host header, potentially through missing header validation by the webserver or misconfigured host setup, can cause password reset emails to include links pointing to a domain under their control, which may lead to account takeover.

Recommendations Update to version 3.3.16 or later. Enable the force server vars setting to prevent the use of the HTTP Host header for generating URLs.