Common Weakness Enumeration

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

CVE-2026-1325 (GCVE-0-2026-1325)

Vulnerability from cvelistv5 – Published: 2026-01-22 13:02 – Updated: 2026-02-23 08:52
VLAI
Title
Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery
Summary
A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.342301 vdb-entrytechnical-description
https://vuldb.com/?ctiid.342301 signaturepermissions-required
https://vuldb.com/?submit.736208 third-party-advisory
https://github.com/LX-LX88/cve/issues/21 broken-linkexploitissue-tracking
Impacted products
Vendor Product Version
Sangfor Operation and Maintenance Security Management System Affected: 3.0.0
Affected: 3.0.1
Affected: 3.0.2
Affected: 3.0.3
Affected: 3.0.4
Affected: 3.0.5
Affected: 3.0.6
Affected: 3.0.7
Affected: 3.0.8
Affected: 3.0.9
Affected: 3.0.10
Affected: 3.0.11
Affected: 3.0.12
Create a notification for this product.
Credits
LINXI666 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1325",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-22T20:20:23.919611Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-22T20:20:34.692Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Operation and Maintenance Security Management System",
          "vendor": "Sangfor",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.0"
            },
            {
              "status": "affected",
              "version": "3.0.1"
            },
            {
              "status": "affected",
              "version": "3.0.2"
            },
            {
              "status": "affected",
              "version": "3.0.3"
            },
            {
              "status": "affected",
              "version": "3.0.4"
            },
            {
              "status": "affected",
              "version": "3.0.5"
            },
            {
              "status": "affected",
              "version": "3.0.6"
            },
            {
              "status": "affected",
              "version": "3.0.7"
            },
            {
              "status": "affected",
              "version": "3.0.8"
            },
            {
              "status": "affected",
              "version": "3.0.9"
            },
            {
              "status": "affected",
              "version": "3.0.10"
            },
            {
              "status": "affected",
              "version": "3.0.11"
            },
            {
              "status": "affected",
              "version": "3.0.12"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "LINXI666 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T08:52:29.862Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-342301 | Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.342301"
        },
        {
          "name": "VDB-342301 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.342301"
        },
        {
          "name": "Submit #736208 | Sangfor Operation and Maintenance Security Management System (OSM / \u8fd0\u7ef4\u5b89\u5168\u7ba1\u7406\u7cfb\u7edf) 3.0.12 Unauthenticated Arbitrary Password Reset",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.736208"
        },
        {
          "tags": [
            "broken-link",
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/LX-LX88/cve/issues/21"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-22T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-01-22T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-01-31T06:11:05.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-1325",
    "datePublished": "2026-01-22T13:02:11.115Z",
    "dateReserved": "2026-01-22T07:40:49.061Z",
    "dateUpdated": "2026-02-23T08:52:29.862Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15155 (GCVE-0-2026-15155)

Vulnerability from cvelistv5 – Published: 2026-07-11 05:35 – Updated: 2026-07-11 05:35
VLAI
Title
Essential Addons for Elementor <= 6.6.10 - Authenticated (Contributor+) Account Takeover via Email Header Injection
Summary
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers — the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Credits
Jonah Burgess (CryptoCat)
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets",
          "vendor": "wpdevteam",
          "versions": [
            {
              "lessThanOrEqual": "6.6.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonah Burgess (CryptoCat)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers \u2014 the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator\u0027s password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-11T05:35:49.683Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe8cf6c-b1fa-4f71-bb63-c8b181e54882?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Traits/Login_Registration.php#L1271"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Traits/Login_Registration.php#L1622"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.10/includes/Elements/Login_Register.php#L3333"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Traits/Login_Registration.php#L1271"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Traits/Login_Registration.php#L1622"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.5/includes/Elements/Login_Register.php#L3333"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3601504/essential-addons-for-elementor-lite/trunk/includes/Traits/Login_Registration.php"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fessential-addons-for-elementor-lite/tags/6.6.10\u0026new_path=%2Fessential-addons-for-elementor-lite/tags/6.6.11"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-08T20:05:45.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-10T16:46:50.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Essential Addons for Elementor \u003c= 6.6.10 - Authenticated (Contributor+) Account Takeover via Email Header Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-15155",
    "datePublished": "2026-07-11T05:35:49.683Z",
    "dateReserved": "2026-07-08T19:50:24.698Z",
    "dateUpdated": "2026-07-11T05:35:49.683Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-15479 (GCVE-0-2026-15479)

Vulnerability from cvelistv5 – Published: 2026-07-12 05:00 – Updated: 2026-07-12 05:00
VLAI
Title
H3C NX15 Administrator Password Modification Endpoint modify change_passwd password recovery
Summary
A vulnerability was found in H3C NX15 V100R017. Affected by this vulnerability is the function change_passwd of the file /api/login/modify of the component Administrator Password Modification Endpoint. The manipulation of the argument newPass results in weak password recovery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure.
CWE
Assigner
References
URL Tags
https://vuldb.com/vuln/377785 vdb-entrytechnical-description
https://vuldb.com/vuln/377785/cti signaturepermissions-required
https://vuldb.com/cve/CVE-2026-15479 third-party-advisory
https://vuldb.com/submit/837069 third-party-advisory
https://github.com/coconut652-7/IOT_Vul_Public/tr… exploit
Impacted products
Vendor Product Version
H3C NX15 Affected: V100R017
    cpe:2.3:a:h3c:nx15:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
coconut (VulDB User) VulDB CNA Team
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:h3c:nx15:*:*:*:*:*:*:*:*"
          ],
          "modules": [
            "Administrator Password Modification Endpoint"
          ],
          "product": "NX15",
          "vendor": "H3C",
          "versions": [
            {
              "status": "affected",
              "version": "V100R017"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "coconut (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB CNA Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in H3C NX15 V100R017. Affected by this vulnerability is the function change_passwd of the file /api/login/modify of the component Administrator Password Modification Endpoint. The manipulation of the argument newPass results in weak password recovery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.5,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-12T05:00:10.927Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-377785 | H3C NX15 Administrator Password Modification Endpoint modify change_passwd password recovery",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/vuln/377785"
        },
        {
          "name": "VDB-377785 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/vuln/377785/cti"
        },
        {
          "name": "CVE-2026-15479 | CVE Analysis and Report",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/cve/CVE-2026-15479"
        },
        {
          "name": "Submit #837069 | H3C NX15 V100R017 Incorrect Access Control",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/submit/837069"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/coconut652-7/IOT_Vul_Public/tree/main/H3C/NX15R017/pre_auth_pwd_change"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-07-11T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-07-11T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-07-11T12:01:48.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "H3C NX15 Administrator Password Modification Endpoint modify change_passwd password recovery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-15479",
    "datePublished": "2026-07-12T05:00:10.927Z",
    "dateReserved": "2026-07-11T09:56:44.847Z",
    "dateUpdated": "2026-07-12T05:00:10.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24467 (GCVE-0-2026-24467)

Vulnerability from cvelistv5 – Published: 2026-04-20 15:40 – Updated: 2026-04-20 16:21
VLAI
Title
OpenAEV's Improper Password Reset Token Management Leads to Unauthenticated Account Takeover and Platform Compromise
Summary
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim’s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim’s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured. The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
OpenAEV-Platform openaev Affected: >= 1.0.0, < 2.0.13
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24467",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T16:21:38.079011Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T16:21:50.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openaev",
          "vendor": "OpenAEV-Platform",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 2.0.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV\u0027s password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if newer tokens are issued for the same account. This allows an attacker to accumulate valid password reset tokens over time and reuse them at any point in the future to reset a victim\u2019s password. A secondary weakness is that password reset tokens are only 8 digits long. While an 8-digit numeric token provides 100,000,000 possible combinations (which is secure enough), the ability to generate large numbers of valid tokens drastically reduces the required number of attempts to guess a valid password reset token. For example, if an attacker generates 2,000 valid tokens, the brute-force effort is reduced to approximately 50,000 attempts, which is a trivially achievable number of requests for an automated attack. (100 requests per second can mathematically find a valid password reset token in 500 seconds.) By combining these flaws, an attacker can mass-generate valid password reset tokens and then brute-force them efficiently until a match is found, allowing the attacker to reset the victim\u2019s password to a value of their choosing. The original password is not required, and the attack can be performed entirely without authentication. This vulnerability enables full account takeover that leads to platform compromise. An unauthenticated remote attacker can reset the password of any registered user account and gain complete access without authentication. Because user email addresses are exposed to other users by design, a single guessed or observed email address is sufficient to compromise even administrator accounts with non-guessable email addresses. This design flaw results in a reliable and scalable account takeover vulnerability that affects any registered user account in the system. Note: The vulnerability does not require OpenAEV to have the email service configured.  The exploit does not depend on the target email address to be a real email address. It just needs to be registered to OpenAEV. Successful exploitation allows an unauthenticated remote attacker to access sensitive data (such as the Findings section of a simulation), modify payloads executed by deployed agents to compromise all hosts where agents are installed (therefore the Scope is changed). Users should upgrade to version 2.0.13 to receive a fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T15:40:56.203Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OpenAEV-Platform/openaev/security/advisories/GHSA-vcjx-vw28-25p2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OpenAEV-Platform/openaev/security/advisories/GHSA-vcjx-vw28-25p2"
        },
        {
          "name": "https://github.com/OpenAEV-Platform/openaev/commit/c09a4e71ea76d26fc28c9b51c76bca89a902df4f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenAEV-Platform/openaev/commit/c09a4e71ea76d26fc28c9b51c76bca89a902df4f"
        },
        {
          "name": "https://github.com/OpenAEV-Platform/openaev/blob/82fa7d0009017110c9b509d0dc1b3a78164259dd/openaev-api/src/main/java/io/openaev/rest/user/UserApi.java#L120",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenAEV-Platform/openaev/blob/82fa7d0009017110c9b509d0dc1b3a78164259dd/openaev-api/src/main/java/io/openaev/rest/user/UserApi.java#L120"
        },
        {
          "name": "https://github.com/OpenAEV-Platform/openaev/releases/tag/2.0.13",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenAEV-Platform/openaev/releases/tag/2.0.13"
        }
      ],
      "source": {
        "advisory": "GHSA-vcjx-vw28-25p2",
        "discovery": "UNKNOWN"
      },
      "title": "OpenAEV\u0027s Improper Password Reset Token Management Leads to Unauthenticated Account Takeover and Platform Compromise"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24467",
    "datePublished": "2026-04-20T15:40:56.203Z",
    "dateReserved": "2026-01-23T00:38:20.546Z",
    "dateUpdated": "2026-04-20T16:21:50.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2543 (GCVE-0-2026-2543)

Vulnerability from cvelistv5 – Published: 2026-02-16 07:02 – Updated: 2026-02-23 10:06
VLAI
Title
vichan-devel vichan Password Change pages.php unverified password change
Summary
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
  • CWE-640 - Weak Password Recovery
Assigner
References
URL Tags
https://vuldb.com/?id.346152 vdb-entrytechnical-description
https://vuldb.com/?ctiid.346152 signaturepermissions-required
https://vuldb.com/?submit.749716 third-party-advisory
https://github.com/lakshayyverma/CVE-Discovery/bl… related
Impacted products
Vendor Product Version
vichan-devel vichan Affected: 5.1.0
Affected: 5.1.1
Affected: 5.1.2
Affected: 5.1.3
Affected: 5.1.4
Affected: 5.1.5
Create a notification for this product.
Credits
lakshay12311 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2543",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T21:04:24.388259Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T21:04:34.109Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Password Change Handler"
          ],
          "product": "vichan",
          "vendor": "vichan-devel",
          "versions": [
            {
              "status": "affected",
              "version": "5.1.0"
            },
            {
              "status": "affected",
              "version": "5.1.1"
            },
            {
              "status": "affected",
              "version": "5.1.2"
            },
            {
              "status": "affected",
              "version": "5.1.3"
            },
            {
              "status": "affected",
              "version": "5.1.4"
            },
            {
              "status": "affected",
              "version": "5.1.5"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "lakshay12311 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.3,
            "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T10:06:50.195Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-346152 | vichan-devel vichan Password Change pages.php unverified password change",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.346152"
        },
        {
          "name": "VDB-346152 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.346152"
        },
        {
          "name": "Submit #749716 | Vichan Devel Vichan  5.1.5 Unverified Password Change",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.749716"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/vichan.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-15T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-20T07:24:21.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "vichan-devel vichan Password Change pages.php unverified password change"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-2543",
    "datePublished": "2026-02-16T07:02:06.623Z",
    "dateReserved": "2026-02-15T15:51:48.549Z",
    "dateUpdated": "2026-02-23T10:06:50.195Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2564 (GCVE-0-2026-2564)

Vulnerability from cvelistv5 – Published: 2026-02-16 16:02 – Updated: 2026-02-23 10:12
VLAI
Title
Intelbras VIP 3260 Z IA OutsideCmd password recovery
Summary
A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.346171 vdb-entry
https://vuldb.com/?ctiid.346171 signaturepermissions-required
https://vuldb.com/?submit.741776 third-party-advisory
Impacted products
Vendor Product Version
Intelbras VIP 3260 Z IA Affected: 2.840.00IB005.0.T
Create a notification for this product.
Credits
ak7r4 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2564",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T14:54:28.001175Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T14:54:37.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "VIP 3260 Z IA",
          "vendor": "Intelbras",
          "versions": [
            {
              "status": "affected",
              "version": "2.840.00IB005.0.T"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "ak7r4 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitation appears to be difficult. It is recommended to upgrade the affected component."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 7.6,
            "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C/E:ND/RL:OF/RC:C",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T10:12:32.594Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-346171 | Intelbras VIP 3260 Z IA OutsideCmd password recovery",
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.346171"
        },
        {
          "name": "VDB-346171 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.346171"
        },
        {
          "name": "Submit #741776 | Intelbras VIP 3260 Z IA v2.840.00IB005.0.T Weak Password Recovery",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.741776"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2026-02-15T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2026-02-18T15:38:32.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Intelbras VIP 3260 Z IA OutsideCmd password recovery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2026-2564",
    "datePublished": "2026-02-16T16:02:06.547Z",
    "dateReserved": "2026-02-15T19:22:27.386Z",
    "dateUpdated": "2026-02-23T10:12:32.594Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25858 (GCVE-0-2026-25858)

Vulnerability from cvelistv5 – Published: 2026-02-07 21:45 – Updated: 2026-04-08 15:02
VLAI
Title
macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure
Summary
macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
macrozheng mall Affected: 0 , ≤ 1.0.3 (semver)
Create a notification for this product.
Credits
Lennon Chia
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25858",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T16:18:03.687222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T15:02:59.030Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "mall",
          "repo": "https://github.com/macrozheng/mall",
          "vendor": "macrozheng",
          "versions": [
            {
              "lessThanOrEqual": "1.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:newbee-mall_project:newbee-mall:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "1.0.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lennon Chia"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number."
            }
          ],
          "value": "macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim\u2019s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T17:17:15.650Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/macrozheng/mall/issues/946"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.macrozheng.com/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "macrozheng mall \u003c= 1.0.3 Unauthenticated Password Reset via OTP Disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-25858",
    "datePublished": "2026-02-07T21:45:41.186Z",
    "dateReserved": "2026-02-06T19:12:03.463Z",
    "dateUpdated": "2026-04-08T15:02:59.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-26273 (GCVE-0-2026-26273)

Vulnerability from cvelistv5 – Published: 2026-02-13 21:45 – Updated: 2026-02-17 20:00
VLAI
Title
Known affected by Account Takeover via Password Reset Token Leakage
Summary
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
SSVC
Exploitation: poc Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
idno known Affected: < 1.6.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26273",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T20:00:43.160262Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T20:00:54.355Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "known",
          "vendor": "idno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user\u0027s email, leading to full Account Takeover (ATO) without requiring access to the victim\u0027s email inbox. This vulnerability is fixed in 1.6.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T21:45:41.610Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r"
        },
        {
          "name": "https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a"
        },
        {
          "name": "https://github.com/idno/known/releases/tag/1.6.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/idno/known/releases/tag/1.6.3"
        }
      ],
      "source": {
        "advisory": "GHSA-78wq-6gcv-w28r",
        "discovery": "UNKNOWN"
      },
      "title": "Known affected by Account Takeover via Password Reset Token Leakage"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26273",
    "datePublished": "2026-02-13T21:45:41.610Z",
    "dateReserved": "2026-02-12T17:10:53.413Z",
    "dateUpdated": "2026-02-17T20:00:54.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27593 (GCVE-0-2026-27593)

Vulnerability from cvelistv5 – Published: 2026-02-24 21:38 – Updated: 2026-02-27 20:56
VLAI
Title
Statamic is vulnerable to account takeover via password reset link injection
Summary
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
Impacted products
Vendor Product Version
statamic cms Affected: < 5.73.10
Affected: >= 6.0.0-alpha.1, < 6.3.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27593",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-27T20:55:56.535981Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T20:56:07.561Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "statamic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.73.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0-alpha.1, \u003c 6.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user\u0027s token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn\u0027t request the reset. This has been fixed in 6.3.3 and 5.73.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T21:38:17.354Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/statamic/cms/security/advisories/GHSA-jxq9-79vj-rgvw"
        },
        {
          "name": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/commit/6fdd03324982848e8754f2edd2265262d361714e"
        },
        {
          "name": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/commit/78e63dfcf705b116d5ac0f7f7f5a1a69be63d1be"
        },
        {
          "name": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/commit/b2be592ddfb588bcb88c9be454f3590e14b145b0"
        },
        {
          "name": "https://github.com/statamic/cms/releases/tag/v5.73.10",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/releases/tag/v5.73.10"
        },
        {
          "name": "https://github.com/statamic/cms/releases/tag/v6.3.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/statamic/cms/releases/tag/v6.3.3"
        }
      ],
      "source": {
        "advisory": "GHSA-jxq9-79vj-rgvw",
        "discovery": "UNKNOWN"
      },
      "title": "Statamic is vulnerable to account takeover via password reset link injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27593",
    "datePublished": "2026-02-24T21:38:17.354Z",
    "dateReserved": "2026-02-20T19:43:14.601Z",
    "dateUpdated": "2026-02-27T20:56:07.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28213 (GCVE-0-2026-28213)

Vulnerability from cvelistv5 – Published: 2026-02-26 22:31 – Updated: 2026-02-27 18:51
VLAI
Title
EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response
Summary
EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28213",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-27T18:50:55.596307Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T18:51:10.647Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "evershop",
          "vendor": "evershopcommerce",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the \"Forgot Password\" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T22:31:47.122Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/evershopcommerce/evershop/security/advisories/GHSA-cg73-g723-39jw"
        },
        {
          "name": "https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/evershopcommerce/evershop/releases/tag/v2.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-cg73-g723-39jw",
        "discovery": "UNKNOWN"
      },
      "title": "EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28213",
    "datePublished": "2026-02-26T22:31:47.122Z",
    "dateReserved": "2026-02-25T15:28:40.649Z",
    "dateUpdated": "2026-02-27T18:51:10.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phase: Architecture and Design

Description:

  • Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation

Phase: Architecture and Design

Description:

  • Do not use standard weak security questions and use several security questions.
Mitigation

Phase: Architecture and Design

Description:

  • Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation

Phase: Architecture and Design

Description:

  • Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation

Phase: Architecture and Design

Description:

  • Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation

Phase: Architecture and Design

Description:

  • Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.

Back to CWE stats page