JUNG Unchained: Host Header Hijacking in Smart Visu Server
Vulnerability ID: CVE-2026-26234
CVSS Score: 8.8
Published: 2026-02-12
The JUNG Smart Visu Server, a high-end visualization tool for KNX smart home installations, fails to sanitize the 'X-Forwarded-Host' header. This allows unauthenticated attackers to inject malicious domains into the application's response, leading to cache poisoning and redirection attacks.
TL;DR
Unauthenticated attackers can inject arbitrary domains via the 'X-Forwarded-Host' header. The server reflects this input into API responses (JSON links). This can poison web caches or trick users into visiting malicious sites. No official patch exists yet; mitigation requires network-level blocking of the header.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-644
- CVSS v3.1: 8.8 (High)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Attack Vector: Network (HTTP Headers)
- EPSS Score: 0.0007 (0.07%)
- Exploit Status: PoC Available
Affected Systems
- JUNG Smart Visu Server 1.1.1050
- JUNG Smart Visu Server 1.0.905
- JUNG Smart Visu Server 1.0.832
- JUNG Smart Visu Server 1.0.830
-
Smart Visu Server: = 1.1.1050 (Fixed in:
None) -
Smart Visu Server: = 1.0.905 (Fixed in:
None)
Exploit Details
- Zero Science Lab: Proof of Concept demonstrating the header injection via curl.
Mitigation Strategies
- Network Segmentation
- Reverse Proxy Filtering
- WAF Rules
Remediation Steps:
- Place the JUNG Smart Visu Server behind a trusted reverse proxy (e.g., Nginx, Apache).
- Configure the proxy to strip or overwrite the 'X-Forwarded-Host' header from incoming requests.
- Ensure the device is not accessible from the public internet (WAN).
- Monitor logs for requests containing unexpected Host headers.
References
Read the full report for CVE-2026-26234 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)