The vulnerability identified as CVE-2026-32616 affects kasuganosoras Pigeon, a message board, notepad, social system, and blog platform. In versions prior to 1.0.201, the application constructs email verification URLs by directly using the HTTP Host header ($_SERVER['HTTP_HOST']) without any validation or sanitization. This header is user-controllable and can be manipulated by an attacker to inject arbitrary domain names into the verification link sent via email during registration or resendmail processes. By doing so, the attacker can cause the victim's email verification link to point to a domain controlled by the attacker. If the victim clicks this malicious link, the attacker can capture the email verification token, which is used to confirm ownership of the email address and activate the account. This token theft can lead to account takeover, compromising user confidentiality. The vulnerability is classified under CWE-74, indicating improper neutralization of special elements in output used by a downstream component, specifically injection of untrusted data into URLs. The CVSS v3.1 score is 8.2 (high), reflecting network exploitability, no privileges required, user interaction needed, and a scope change with high confidentiality impact but limited integrity and no availability impact. No known exploits are reported in the wild yet. The issue is resolved in version 1.0.201 by presumably validating or sanitizing the Host header before use.

This vulnerability poses a significant risk to organizations using kasuganosoras Pigeon versions prior to 1.0.201. Successful exploitation can lead to account takeover by stealing email verification tokens, compromising user accounts and potentially exposing sensitive personal or organizational data. Attackers can impersonate legitimate users, leading to unauthorized access, data leakage, and potential misuse of the platform for further attacks or misinformation. The impact is primarily on confidentiality, with some integrity concerns due to unauthorized account control. Since the vulnerability requires no authentication and can be exploited remotely over the network, it broadens the attack surface. Organizations relying on Pigeon for communication or social collaboration may face reputational damage and loss of user trust if exploited. Although no availability impact is noted, the breach of user accounts can have cascading effects on organizational security posture.

Organizations should immediately upgrade kasuganosoras Pigeon to version 1.0.201 or later, where this vulnerability is fixed. Until upgrading, implement strict validation and sanitization of the HTTP Host header before using it in any URL construction, ensuring it matches expected domain names or is derived from a trusted configuration rather than user input. Employ web application firewalls (WAFs) to detect and block suspicious Host header manipulations. Educate users to be cautious about clicking unexpected verification links and verify URLs before interaction. Additionally, consider implementing multi-factor authentication (MFA) to reduce the impact of account takeovers. Regularly audit and monitor email verification flows and logs for anomalies indicating exploitation attempts. Finally, developers should adopt secure coding practices to avoid using untrusted input directly in security-sensitive contexts.