GHSA-78WQ-6GCV-W28R

Vulnerability from github – Published: 2026-02-13 22:49 – Updated: 2026-02-13 22:49
VLAI?
Summary
Known affected by Account Takeover via Password Reset Token Leakage
Details

Summary

A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.

Details

The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.

Specifically, the sensitive token is embedded in:

Because this page is accessible via a GET request using the victim's email as a parameter, an attacker can programmatically extract the token.

PoC

  1. The attacker asks for a password reset for the victim

image

image(1)

  1. The attacker makes the following curl command on the terminal using the victim's email, and is able to get the code that was sent as an hidden field in the HTML. image(2)

  2. With this code, the attacker is able to use it in order to reset the victim password. image(3)

image(4)

  1. The attacker is able to login with the new password.

image(5)

image(6)

Impact

  • An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.
Severity ?
9.8 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "idno/known"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26273"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-13T22:49:27Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nA Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user\u0027s email, leading to full Account Takeover (ATO) without requiring access to the victim\u0027s email inbox.\n\n### Details\nThe vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.\n\nSpecifically, the sensitive token is embedded in:\n\u003cinput type=\"hidden\" name=\"code\" value=\"[SECRET_TOKEN]\"\u003e\n\nBecause this page is accessible via a GET request using the victim\u0027s email as a parameter, an attacker can programmatically extract the token.\n\n### PoC\n1. The attacker asks for a password reset for the victim\n\n\u003cimg width=\"1328\" height=\"580\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0197907e-f10b-4e6d-989e-f25c408862cd\" /\u003e\n\n\u003cimg width=\"1139\" height=\"452\" alt=\"image(1)\" src=\"https://github.com/user-attachments/assets/9a317b27-b56a-4663-9965-d3e660713f4e\" /\u003e\n\n\n2. The attacker makes the following curl command on the terminal using the victim\u0027s email, and is able to get the code that was sent as an hidden field in the HTML.\n\u003cimg width=\"917\" height=\"220\" alt=\"image(2)\" src=\"https://github.com/user-attachments/assets/af89ba3b-de56-4437-84b3-c1feb56d2348\" /\u003e\n\n3. With this code, the attacker is able to use it in order to reset the victim password.\n\u003cimg width=\"1335\" height=\"711\" alt=\"image(3)\" src=\"https://github.com/user-attachments/assets/498b8a2e-9eb2-4b50-bc35-26b0f2764c8d\" /\u003e\n\n\u003cimg width=\"1258\" height=\"524\" alt=\"image(4)\" src=\"https://github.com/user-attachments/assets/d1304dc3-bf56-4ec7-920c-ecce502db6b0\" /\u003e\n\n4. The attacker is able to login with the new password.\n\n\u003cimg width=\"1514\" height=\"631\" alt=\"image(5)\" src=\"https://github.com/user-attachments/assets/2533032e-6f0d-45c8-9fe1-881bfedebcc4\" /\u003e\n\n\u003cimg width=\"1528\" height=\"647\" alt=\"image(6)\" src=\"https://github.com/user-attachments/assets/a6e9144c-cc96-493d-8780-9156c299a192\" /\u003e\n\n\n\n### Impact\n- An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.",
  "id": "GHSA-78wq-6gcv-w28r",
  "modified": "2026-02-13T22:49:27Z",
  "published": "2026-02-13T22:49:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/idno/known"
    },
    {
      "type": "WEB",
      "url": "https://github.com/idno/known/releases/tag/1.6.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Known affected by Account Takeover via Password Reset Token Leakage"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.