[GHSA-7gm6-w7mx-58cr] phpBB before 3.3.16 is vulnerable to Host Header...#7695
Conversation
There was a problem hiding this comment.
Pull request overview
Adds affected package ranges and a summary to advisory GHSA-7gm6-w7mx-58cr for a phpBB Host Header Injection vulnerability leading to password reset link poisoning.
Changes:
- Adds a
summaryfield describing the vulnerability. - Populates the previously empty
affectedarray with two Packagist ranges forphpbb/phpbb(3.0.0–3.3.16 and 4.0.0-a1–4.0.0-a2). - Bumps the
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the |
I don't see anything waiting on me? Maybe someone at GitHub can get their copilot agent to check their notifications to tell them that there is an open task? |
de0c618
into
marc1706/advisory-improvement-7695
|
Hi @marc1706! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
I'm lead developer of phpBB and created this CVE via Hackerone.
See also the following announcements:
https://www.phpbb.com/community/viewtopic.php?t=2671024
https://blog.phpbb.com/2026/04/27/phpbb-4-0-0-a2-release/