Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Monica 4.1.2 Password Reset Links Can Be Hijacked
CVE-2026-26747
Summary
An attacker can intercept and manipulate password reset links sent to users, potentially allowing them to access the account. This is due to the application's use of the HTTP Host header to generate URLs. To fix this, consider setting the 'app.force_url' configuration setting to 'true' or ensuring that the Host header is properly validated.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| monicahq | monica | 4.1.2 | – |
Original title
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration whe...
Original description
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,
nvd CVSS3.1
9.1
Vulnerability type
CWE-644
- https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md Exploit Vendor Advisory
- https://github.com/monicahq/monica Product
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026