CVE-2026-26747

moderate-risk

Published 2026-02-20

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Monica

Affected Vendors

Monicahq

References (2)

Exploit https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md

Product https://github.com/monicahq/monica

/ 100

moderate-risk

Severity 31/34 · Critical

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal