CVE-2026-50635 — LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the de — CVE Database · The Intelligence Room