phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-29199 exploits a critical flaw in phpBB's password reset mechanism when the force_server_vars setting is disabled. The vulnerability allows attackers to manipulate the HTTP Host header, causing the application to generate password reset links pointing to attacker-controlled domains instead of the legitimate server. This is particularly dangerous because password reset emails are inherently trusted communications—users click links expecting them to lead to legitimate password recovery pages. Any phpBB installation before version 3.3.16 with force_server_vars disabled is at risk, making this a widespread threat affecting forum administrators and their user bases who may unknowingly visit phishing domains and compromise their credentials.
While this CVE doesn't currently map to specific MITRE ATT&CK techniques in the framework, it represents a class of attacks that Casky's 754 security skills would detect through behavioral analysis of web server request patterns and email content generation flows. Practitioners using Casky would identify the attack pattern through detection of: (1) anomalous Host header values deviating from baseline server configuration, (2) discrepancies between the expected hostname and dynamically generated URLs in application logs, and (3) unusual email content containing externally-controlled domain references. Claude's extended reasoning would correlate these indicators to flag potential credential access attacks (T1110 family) and initial access vectors (T1566 - Phishing), allowing defenders to catch Host header injection attempts before malicious password reset links reach end users. The intelligence would highlight the critical importance of validating and hardening host header handling in web applications.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-29199. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation