Home / Vulnerability Intelligence / CVE-2026-32616

CVE-2026-32616 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 16, 2026

Pigeon - Open Redirect

Published: March 16, 2026Updated: March 16, 2026Remote Exploitable

Overview

Pigeon < 1.0.201 contains an open redirect caused by unvalidated use of $_SERVER['HTTP_HOST'] in email verification URL construction, letting attackers manipulate Host header to redirect users, exploit requires sending crafted Host header.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 3.3%(Probability of exploitation in next 30 days)

Impact

Attackers can redirect email verification links to attacker-controlled domains, potentially leading to account takeover.

Mitigation

Update to version 1.0.201 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 16, 2026

🟠 CVE-2026-32616 - High (8.2) Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host he... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32616/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32616
Severity: High
CVSS Score: 8.2
Type: open_redirect
Status: unconfirmed
EPSS: 3.3%
Social Posts: 1

CWE

CWE-74

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS Score

3.3%Probability of exploitation in the next 30 days