CVE-2026-26747 — CRITICAL (9.1)

Vulnerability Description

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Monicahq	Monica	4.1.2

Related Weaknesses (CWE)

CWE-644

References

https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.mdExploitVendor Advisory
https://github.com/monicahq/monicaProduct

FAQ

What is CVE-2026-26747?

CVE-2026-26747 is a vulnerability with a CVSS score of 9.1 (CRITICAL). A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where ...

How severe is CVE-2026-26747?

CVE-2026-26747 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-26747?

Check the references section above for vendor advisories and patch information. Affected products include: Monicahq Monica.