Anchor CMS <= 0.9.2 (Current Version)

header injection

in anchor/models/comment.php

$headers  = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";
$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";

49: mail($to, __('comments.notify_subject'), $message, $headers);

so it  is possible to inject arbitary "From" headers or any header
using CRLF. simply by tampering and changing the host to bad.com or
bad.com\r\nNew-Header:Hacked!