{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-50635/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-10T22:46:42.371Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-50635","@id":"https://www.cve.org/CVERecord?id=CVE-2026-50635","description":"LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email"},"products":[{"@id":"cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"Update to a fixed version: 7.0.1.","timestamp":"2026-06-10T22:46:42.371Z"}]}