Skip to main content

FoxCMS CVE-2026-9609

| EUVD-2026-32029 LOW
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-27 cna@vuldb.com GHSA-8w64-6cpx-85ph
PHP Information Disclosure
2.0
CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:30 vuln.today

DescriptionNVD

A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-9609 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy