CVE-2026-32616 is an injection vulnerability classified under CWE-74, affecting kasuganosoras Pigeon, a message board, notepad, social system, and blog platform. Prior to version 1.0.201, Pigeon uses the HTTP Host header ($_SERVER['HTTP_HOST']) directly and without validation to construct email verification URLs during user registration and resendmail workflows. Because the Host header is attacker-controllable, an adversary can send HTTP requests with a manipulated Host header, causing the system to generate verification links that point to domains controlled by the attacker. When these malicious links are sent to users via email, clicking them can expose the email verification token to the attacker. This token exposure enables account takeover by allowing the attacker to verify accounts or reset credentials. The vulnerability impacts confidentiality (exposure of tokens) and integrity (account compromise) but does not affect availability. Exploitation requires no privileges or authentication but does require user interaction to click the malicious link. The vulnerability is fixed in version 1.0.201 by properly validating or sanitizing the Host header before use in URL generation. No known exploits are currently in the wild, but the high CVSS score (8.2) reflects the serious risk posed by this flaw.

The primary impact of CVE-2026-32616 is the potential for account takeover through theft of email verification tokens. Organizations using vulnerable versions of Pigeon risk unauthorized access to user accounts, which can lead to data breaches, impersonation, and further exploitation within the system. Confidentiality is compromised as attackers can intercept sensitive tokens. Integrity is affected because attackers can manipulate account states by verifying or resetting accounts fraudulently. Although availability is not directly impacted, the reputational damage and potential regulatory consequences of compromised user accounts can be significant. This vulnerability is particularly dangerous for organizations relying on Pigeon for user authentication and communication, especially those with sensitive or critical user data. The ease of exploitation (no authentication required) and the widespread use of HTTP Host headers in web applications increase the risk of exploitation if patches are not applied promptly.

1. Upgrade Pigeon to version 1.0.201 or later immediately to apply the official fix that validates the HTTP Host header before use in email verification URLs. 2. Implement strict validation and sanitization of all HTTP headers, especially Host headers, to ensure they conform to expected domain names or whitelist approved domains. 3. Use absolute URLs with hardcoded or securely configured domain names for email verification links instead of relying on user-controllable headers. 4. Monitor outgoing email verification links for anomalies or unexpected domains to detect potential exploitation attempts. 5. Educate users to be cautious about clicking email links and verify the domain before interacting. 6. Employ multi-factor authentication to reduce the impact of account takeover even if tokens are compromised. 7. Conduct regular security audits and penetration testing focusing on header injection and token handling mechanisms. 8. Implement logging and alerting for unusual registration or email resend activities that may indicate exploitation attempts.