Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-3026

The vulnerability exists in the EJBCA service, version 8.0 Enterprise. Not tested in higher versions. By modifying the ‘Host’ header in an HTTP request, it is possible to manipulate the generated links and thus redirect the client to a different base URL. In this way, an attacker could insert his own server for the client to send HTTP requests, provided he succeeds in exploiting it.

Published

2025-03-31T11:15:40.127

Last Modified

2025-10-09T15:04:20.607

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	primekey	ejbca	< 9.1	Yes

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-ejbca Third Party Advisory ([email protected])