Anchor CMS <= 0.9.2 (Current Version) header injection in anchor/models/comment.php $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=utf-8' . "\r\n"; $headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n"; 49: mail($to, __('comments.notify_subject'), $message, $headers); so it is possible to inject arbitary "From" headers or any header using CRLF. simply by tampering and changing the host to bad.com or bad.com\r\nNew-Header:Hacked!