Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CVE-2026-2543 (GCVE-0-2026-2543)
Vulnerability from cvelistv5 – Published: 2026-02-16 07:02 – Updated: 2026-02-23 10:06
VLAI
Title
vichan-devel vichan Password Change pages.php unverified password change
Summary
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.346152 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.346152 | signaturepermissions-required |
| https://vuldb.com/?submit.749716 | third-party-advisory |
| https://github.com/lakshayyverma/CVE-Discovery/bl… | related |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| vichan-devel | vichan |
Affected:
5.1.0
Affected: 5.1.1 Affected: 5.1.2 Affected: 5.1.3 Affected: 5.1.4 Affected: 5.1.5 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T21:04:24.388259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T21:04:34.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Password Change Handler"
],
"product": "vichan",
"vendor": "vichan-devel",
"versions": [
{
"status": "affected",
"version": "5.1.0"
},
{
"status": "affected",
"version": "5.1.1"
},
{
"status": "affected",
"version": "5.1.2"
},
{
"status": "affected",
"version": "5.1.3"
},
{
"status": "affected",
"version": "5.1.4"
},
{
"status": "affected",
"version": "5.1.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "lakshay12311 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T10:06:50.195Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-346152 | vichan-devel vichan Password Change pages.php unverified password change",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.346152"
},
{
"name": "VDB-346152 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.346152"
},
{
"name": "Submit #749716 | Vichan Devel Vichan 5.1.5 Unverified Password Change",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.749716"
},
{
"tags": [
"related"
],
"url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/vichan.md"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-20T07:24:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "vichan-devel vichan Password Change pages.php unverified password change"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2543",
"datePublished": "2026-02-16T07:02:06.623Z",
"dateReserved": "2026-02-15T15:51:48.549Z",
"dateUpdated": "2026-02-23T10:06:50.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2564 (GCVE-0-2026-2564)
Vulnerability from cvelistv5 – Published: 2026-02-16 16:02 – Updated: 2026-02-23 10:12
VLAI
Title
Intelbras VIP 3260 Z IA OutsideCmd password recovery
Summary
A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.346171 | vdb-entry |
| https://vuldb.com/?ctiid.346171 | signaturepermissions-required |
| https://vuldb.com/?submit.741776 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Intelbras | VIP 3260 Z IA |
Affected:
2.840.00IB005.0.T
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T14:54:28.001175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T14:54:37.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "VIP 3260 Z IA",
"vendor": "Intelbras",
"versions": [
{
"status": "affected",
"version": "2.840.00IB005.0.T"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ak7r4 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.6,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T10:12:32.594Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-346171 | Intelbras VIP 3260 Z IA OutsideCmd password recovery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.346171"
},
{
"name": "VDB-346171 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.346171"
},
{
"name": "Submit #741776 | Intelbras VIP 3260 Z IA v2.840.00IB005.0.T Weak Password Recovery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.741776"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-15T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-15T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-18T15:38:32.000Z",
"value": "VulDB entry last update"
}
],
"title": "Intelbras VIP 3260 Z IA OutsideCmd password recovery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2564",
"datePublished": "2026-02-16T16:02:06.547Z",
"dateReserved": "2026-02-15T19:22:27.386Z",
"dateUpdated": "2026-02-23T10:12:32.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25858 (GCVE-0-2026-25858)
Vulnerability from cvelistv5 – Published: 2026-02-07 21:45 – Updated: 2026-04-08 15:02
VLAI
Title
macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure
Summary
macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/macrozheng/mall/issues/946 | issue-tracking |
| https://www.macrozheng.com/ | product |
| https://www.vulncheck.com/advisories/macrozheng-m… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| macrozheng | mall |
Affected:
0 , ≤ 1.0.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25858",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T16:18:03.687222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T15:02:59.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "mall",
"repo": "https://github.com/macrozheng/mall",
"vendor": "macrozheng",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:newbee-mall_project:newbee-mall:*:*:*:*:*:*:*:*",
"versionEndIncluding": "1.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lennon Chia"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number."
}
],
"value": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:17:15.650Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/macrozheng/mall/issues/946"
},
{
"tags": [
"product"
],
"url": "https://www.macrozheng.com/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "macrozheng mall \u003c= 1.0.3 Unauthenticated Password Reset via OTP Disclosure",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-25858",
"datePublished": "2026-02-07T21:45:41.186Z",
"dateReserved": "2026-02-06T19:12:03.463Z",
"dateUpdated": "2026-04-08T15:02:59.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26273 (GCVE-0-2026-26273)
Vulnerability from cvelistv5 – Published: 2026-02-13 21:45 – Updated: 2026-02-17 20:00
VLAI
Title
Known affected by Account Takeover via Password Reset Token Leakage
Summary
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/idno/known/security/advisories… | x_refsource_CONFIRM |
| https://github.com/idno/known/commit/8439a0747471… | x_refsource_MISC |
| https://github.com/idno/known/releases/tag/1.6.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26273",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-17T20:00:43.160262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-17T20:00:54.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "known",
"vendor": "idno",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user\u0027s email, leading to full Account Takeover (ATO) without requiring access to the victim\u0027s email inbox. This vulnerability is fixed in 1.6.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T21:45:41.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r"
},
{
"name": "https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a"
},
{
"name": "https://github.com/idno/known/releases/tag/1.6.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/idno/known/releases/tag/1.6.3"
}
],
"source": {
"advisory": "GHSA-78wq-6gcv-w28r",
"discovery": "UNKNOWN"
},
"title": "Known affected by Account Takeover via Password Reset Token Leakage"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26273",
"datePublished": "2026-02-13T21:45:41.610Z",
"dateReserved": "2026-02-12T17:10:53.413Z",
"dateUpdated": "2026-02-17T20:00:54.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27593 (GCVE-0-2026-27593)
Vulnerability from cvelistv5 – Published: 2026-02-24 21:38 – Updated: 2026-02-27 20:56
VLAI
Title
Statamic is vulnerable to account takeover via password reset link injection
Summary
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/statamic/cms/security/advisori… | x_refsource_CONFIRM |
| https://github.com/statamic/cms/commit/6fdd033249… | x_refsource_MISC |
| https://github.com/statamic/cms/commit/78e63dfcf7… | x_refsource_MISC |
| https://github.com/statamic/cms/commit/b2be592ddf… | x_refsource_MISC |
| https://github.com/statamic/cms/releases/tag/v5.73.10 | x_refsource_MISC |
| https://github.com/statamic/cms/releases/tag/v6.3.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27593",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T20:55:56.535981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:56:07.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "statamic",
"versions": [
{
"status": "affected",
"version": "\u003c 5.73.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0-alpha.1, \u003c 6.3.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user\u0027s token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn\u0027t request the reset. This has been fixed in 6.3.3 and 5.73.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T21:38:17.354Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"
},
{
"name": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"
},
{
"name": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"
},
{
"name": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"
},
{
"name": "https://github.com/statamic/cms/releases/tag/v5.73.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/statamic/cms/releases/tag/v5.73.10"
},
{
"name": "https://github.com/statamic/cms/releases/tag/v6.3.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/statamic/cms/releases/tag/v6.3.3"
}
],
"source": {
"advisory": "GHSA-jxq9-79vj-rgvw",
"discovery": "UNKNOWN"
},
"title": "Statamic is vulnerable to account takeover via password reset link injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27593",
"datePublished": "2026-02-24T21:38:17.354Z",
"dateReserved": "2026-02-20T19:43:14.601Z",
"dateUpdated": "2026-02-27T20:56:07.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28213 (GCVE-0-2026-28213)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:31 – Updated: 2026-02-27 18:51
VLAI
Title
EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response
Summary
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/evershopcommerce/evershop/secu… | x_refsource_CONFIRM |
| https://github.com/evershopcommerce/evershop/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| evershopcommerce | evershop |
Affected:
< 2.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28213",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:50:55.596307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:51:10.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "evershop",
"vendor": "evershopcommerce",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the \"Forgot Password\" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:31:47.122Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw"
},
{
"name": "https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1"
}
],
"source": {
"advisory": "GHSA-cg73-g723-39jw",
"discovery": "UNKNOWN"
},
"title": "EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28213",
"datePublished": "2026-02-26T22:31:47.122Z",
"dateReserved": "2026-02-25T15:28:40.649Z",
"dateUpdated": "2026-02-27T18:51:10.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28268 (GCVE-0-2026-28268)
Vulnerability from cvelistv5 – Published: 2026-02-27 20:16 – Updated: 2026-03-03 20:26
VLAI
Title
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Summary
Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/go-vikunja/vikunja/security/ad… | x_refsource_CONFIRM |
| https://github.com/go-vikunja/vikunja/commit/5c21… | x_refsource_MISC |
| https://vikunja.io/changelog/vikunja-v2.1.0-was-r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| go-vikunja | vikunja |
Affected:
< 2.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28268",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:26:41.313436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:26:53.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vikunja",
"vendor": "go-vikunja",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-459",
"description": "CWE-459: Incomplete Cleanup",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T20:16:29.842Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-rfjg-6m84-crj2"
},
{
"name": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/go-vikunja/vikunja/commit/5c2195f9fca9ad208477e865e6009c37889f87b2"
},
{
"name": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released",
"tags": [
"x_refsource_MISC"
],
"url": "https://vikunja.io/changelog/vikunja-v2.1.0-was-released"
}
],
"source": {
"advisory": "GHSA-rfjg-6m84-crj2",
"discovery": "UNKNOWN"
},
"title": "Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28268",
"datePublished": "2026-02-27T20:16:29.842Z",
"dateReserved": "2026-02-26T01:52:58.732Z",
"dateUpdated": "2026-03-03T20:26:53.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28681 (GCVE-0-2026-28681)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:35 – Updated: 2026-03-06 16:07
VLAI
Title
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links
Summary
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/irrdnet/irrd/security/advisori… | x_refsource_CONFIRM |
| https://github.com/irrdnet/irrd/commit/8408e0f1b9… | x_refsource_MISC |
| https://github.com/irrdnet/irrd/commit/cf62df4a49… | x_refsource_MISC |
| https://irrd.readthedocs.io/en/stable/releases/4.4.5 | x_refsource_MISC |
| https://irrd.readthedocs.io/en/stable/releases/4.5.1 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T15:58:15.412745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:02.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "irrd",
"vendor": "irrdnet",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.5"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:35:59.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj"
},
{
"name": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb"
},
{
"name": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c"
},
{
"name": "https://irrd.readthedocs.io/en/stable/releases/4.4.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://irrd.readthedocs.io/en/stable/releases/4.4.5"
},
{
"name": "https://irrd.readthedocs.io/en/stable/releases/4.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://irrd.readthedocs.io/en/stable/releases/4.5.1"
}
],
"source": {
"advisory": "GHSA-22m3-c7vp-49fj",
"discovery": "UNKNOWN"
},
"title": "IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28681",
"datePublished": "2026-03-06T04:35:59.899Z",
"dateReserved": "2026-03-02T21:43:19.927Z",
"dateUpdated": "2026-03-06T16:07:02.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2895 (GCVE-0-2026-2895)
Vulnerability from cvelistv5 – Published: 2026-02-21 23:02 – Updated: 2026-02-23 19:27
VLAI
Title
funadmin Member.php repass password recovery
Summary
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.347206 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.347206 | signaturepermissions-required |
| https://vuldb.com/?submit.753971 | third-party-advisory |
| https://github.com/I4m6da/CVE/issues/2 | issue-tracking |
| https://github.com/I4m6da/CVE/issues/2#issue-3884919985 | exploitissue-tracking |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2895",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T19:26:56.421604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T19:27:18.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:funadmin:funadmin:*:*:*:*:*:*:*:*"
],
"product": "funadmin",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "7.1.0-rc1"
},
{
"status": "affected",
"version": "7.1.0-rc2"
},
{
"status": "affected",
"version": "7.1.0-rc3"
},
{
"status": "affected",
"version": "7.1.0-rc4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "I4m6da (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack\u0027s complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T23:02:11.258Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-347206 | funadmin Member.php repass password recovery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.347206"
},
{
"name": "VDB-347206 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.347206"
},
{
"name": "Submit #753971 | funadmin v7.1.0-rc4 CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.753971"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/I4m6da/CVE/issues/2"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/I4m6da/CVE/issues/2#issue-3884919985"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-02-20T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-02-20T20:02:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "funadmin Member.php repass password recovery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-2895",
"datePublished": "2026-02-21T23:02:11.258Z",
"dateReserved": "2026-02-20T18:56:43.277Z",
"dateUpdated": "2026-02-23T19:27:18.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29199 (GCVE-0-2026-29199)
Vulnerability from cvelistv5 – Published: 2026-05-04 05:42 – Updated: 2026-05-04 19:43
VLAI
Summary
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:42:51.610948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:43:18.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "phpBB",
"vendor": "phpBB",
"versions": [
{
"lessThanOrEqual": "3.3.15",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "SEONG HUN JEONG (HunSec)"
}
],
"descriptions": [
{
"lang": "en",
"value": "phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T05:42:15.554Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/3543246"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29199",
"datePublished": "2026-05-04T05:42:15.554Z",
"dateReserved": "2026-03-04T15:00:09.266Z",
"dateUpdated": "2026-05-04T19:43:18.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Phase: Architecture and Design
Description:
- Do not use standard weak security questions and use several security questions.
Mitigation
Phase: Architecture and Design
Description:
- Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Phase: Architecture and Design
Description:
- Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Phase: Architecture and Design
Description:
- Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Phase: Architecture and Design
Description:
- Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.