Home / Vulnerability Intelligence / CVE-2026-32616

CVE-2026-32616 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 16, 2026

Pigeon - Open Redirect

Published: March 16, 2026Updated: March 16, 2026Remote Exploitable

Overview

Pigeon < 1.0.201 contains an open redirect caused by unvalidated use of $_SERVER['HTTP_HOST'] in email verification URL construction, letting attackers manipulate Host header to redirect users, exploit requires sending crafted HTTP requests.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can redirect verification links to attacker-controlled domains, enabling account takeover via stolen email tokens.

Mitigation

Update to version 1.0.201 or later.

References

https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201
https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32616
Severity: High
CVSS Score: 8.2
Type: open_redirect
Status: unconfirmed

CWE

CWE-74

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N