Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32616

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Pigeon has a Host Header Injection in email verification flow

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.

References

https://github.com/kasuganosoras/Pigeon/security/advisories/GHSA-rrj4-9wgq-prcr x_refsource_CONFIRM
https://github.com/kasuganosoras/Pigeon/releases/tag/1.0.201 x_refsource_MISC

Affected products

Pigeon

==< 1.0.201

Matching in nixpkgs

pkgs.pigeon

PEG parser generator for Go

nixos-unstable 1.3.0
- nixpkgs-unstable 1.3.0
- nixos-unstable-small 1.3.0
nixos-25.11 1.3.0
- nixos-25.11-small 1.3.0
- nixpkgs-25.11-darwin 1.3.0

pkgs.dovecot_pigeonhole

Sieve plugin for the Dovecot IMAP server

nixos-unstable 0.5.21.1
- nixpkgs-unstable 0.5.21.1
- nixos-unstable-small 0.5.21.1
nixos-25.11 0.5.21.1
- nixos-25.11-small 0.5.21.1
- nixpkgs-25.11-darwin 0.5.21.1