Skip to main content

PenguinMod-BackendApi CVE-2026-47181

| EUVDEUVD-2026-36292 HIGH
Improper Input Validation (CWE-20)
2026-06-11 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.9 CRITICAL

Network-reachable reset endpoint (AV:N), trivial payload (AC:L), any registered user suffices (PR:L), no victim interaction (UI:N); compromise of other accounts is a scope change (S:C) with high C/I and limited A impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:25 vuln.today

DescriptionCVE.org

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

AnalysisAI

Account takeover in PenguinMod-BackendApi versions prior to 1.0.0 allows any authenticated user holding a valid password reset token for their own account to change the password of any other account via a NoSQL injection flaw in the password reset endpoint. The issue is tracked as CWE-20 (improper input validation) and tagged as Code Injection; no public exploit identified at time of analysis, but a vendor security advisory (GHSA-wwwc-jwrc-3pj8) has been published.

Technical ContextAI

PenguinMod-BackendApi is the Node.js-style backend API powering the PenguinMod platform (CPE cpe:2.3:a:penguinmod:penguinmod-backendapi). The root cause is CWE-20 improper input validation in the password reset handler: the endpoint forwards user-controlled JSON into a NoSQL query (typically MongoDB) without strict type checking, so an attacker can substitute query-operator objects (e.g., {"$ne": null}, {"$gt": ""}) where a scalar identifier or token is expected. The query then matches records other than the attacker's, letting the password update affect arbitrary accounts. This pattern is the canonical NoSQL injection variant against MongoDB document filters and is classified here under Code Injection.

RemediationAI

Vendor-released patch: PenguinMod-BackendApi 1.0.0 - upgrade immediately per advisory GHSA-wwwc-jwrc-3pj8 (https://github.com/PenguinMod/PenguinMod-BackendApi/security/advisories/GHSA-wwwc-jwrc-3pj8). If an emergency upgrade is not possible, operators should disable the password reset endpoint at the reverse proxy or feature-flag level (side effect: legitimate users cannot self-recover and will require manual operator resets), enforce strict JSON schema/type validation on reset-token and identifier fields at an API gateway or WAF to reject any value that is not a primitive string (side effect: requires custom rule tuning and risks false positives on legitimate clients), and invalidate all outstanding reset tokens plus rotate session secrets after upgrade to evict any attacker who may have pre-positioned tokens.

Share

CVE-2026-47181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy