Vulnerability in Monicahq Monica

CVE-2026-26747

A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and defa…

EPSS: 0.004 (30.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2026-26747?
CVE-2026-26747 is a critical-severity vulnerability in Monicahq Monica, classified under Improper Neutralization of HTTP Headers for Scripting Syntax. CVSS score: 9.1/10. Published 2026-02-20.
How severe is CVE-2026-26747?
Critical severity. CVSS v3 base score is 9.1 out of 10.