Key Information Vulnerability Type Host Header Injection in Email Confirmation Link Vulnerable Code Issue Description is directly used to construct the confirmation link, sanitized only via for HTML escaping, without any domain validation. Attackers can fully control the link by modifying the header in the HTTP request. Reproduction Steps (POC) 1. Create a new account or trigger the resend verification email feature. 2. Intercept the POST request to using Burp Suite. 3. Modify the header to an attacker-controlled domain (e.g., ). 4. Send the modified request. 5. Check the received confirmation email — the link will point to the attacker-controlled domain. 6. When the victim clicks the link, the attacker can capture the email confirmation token and confirm the victim’s account. Impact Account Takeover: Attackers can register an account linked to the victim’s email, trick the victim into clicking a malicious link, and complete email verification. Phishing Attacks: Attackers can host a fake login page on , tricking victims into entering their credentials. Open Redirect and Trust Abuse: The email appears legitimate, signed, and originates from a real domain, making it highly deceptive. Severity Critical Recommended Remediation Avoid using to build security-sensitive URLs. Use fixed, trusted values from configuration (e.g., ). If supporting multiple domains, implement a whitelist of allowed hosts. Never rely on escaping to secure URLs — it is only suitable for HTML output, not for host validation.