Monthly
Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. No public exploit identified at time of analysis, though a detailed PoC is published in the GHSA advisory.
Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. The vendor was notified via a GitHub issue report but has not responded, leaving all affected versions unpatched at time of analysis.
Unauthenticated information disclosure in the Intelbras VIP-1230-D-G4 Wi-Fi dome IP camera (firmware V2.800.00IB00C.0.T) exposes sensitive data through the password reset endpoint at /OutsideCmd. Remote, unauthenticated attackers can query this endpoint directly over the network to retrieve sensitive information - likely credentials or reset tokens - without any prior authentication or user interaction. Publicly available exploit code exists on GitHub (kensh1k/CVE-2026-36438), lowering the bar for exploitation; no CISA KEV listing has been confirmed at time of analysis.
LatePoint plugin for WordPress versions up to 5.5.0 allows unauthenticated attackers to perform account takeover of non-super-admin WordPress users by exploiting a weak password recovery mechanism in the guest booking flow. The vulnerability chains two flaws: the plugin's save_connected_wordpress_user() function updates WordPress user emails via wp_update_user() without ownership verification, and the guest booking flow permits email overwrites through phone-based customer merging without authentication. Attackers can overwrite a target user's email address and then trigger WordPress's standard password reset to gain full account access. No public exploit code has been identified at time of analysis, but exploitation requires only that the plugin be configured with WordPress user integration enabled, phone-based contact merging enabled, and customer authentication disabled.
Password reset bypass in Gambio GX4 e-commerce platform allows remote unauthenticated attackers to set arbitrary passwords for any user account when the account ID is known, leading to complete account takeover. Affects versions 4.0.0.0 through 4.9.2.0, patched in February 2024 security update (2024-02 v1.0.0). SSVC framework rates this as automatable with total technical impact despite EPSS score of 0.02%, indicating high severity for targeted attacks against Gambio installations. No active exploitation confirmed via CISA KEV, but authentication bypass primitives are frequently weaponized in e-commerce platforms.
Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.
Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.
Weak password recovery in D-Link M60 up to version 1.20B02 allows remote attackers to compromise device authentication through manipulation of the /usr/bin/httpd binary, requiring high attack complexity but with publicly disclosed exploit code available. The vulnerability enables information disclosure and potential unauthorized access to device management functions despite the low CVSS score of 2.9 reflecting limited confidentiality impact.
Password reset tokens in blueprintUE self-hosted edition remain valid indefinitely, allowing attackers who intercept a reset link to compromise accounts at any future time. The vulnerability affects all versions prior to 4.2.0. While exploitation requires initial interception of a password reset token (AC:H), successful exploitation grants persistent unauthorized access with high confidentiality and integrity impact but no availability impact (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, score 7.4). No active exploitation, KEV listing, or public POC identified at time of analysis.
Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.
Unauthenticated account takeover in phpMyFAQ before 4.1.3 allows remote attackers to forcibly reset any user's password by sending a PUT request to the /api/index.php/user/password/update endpoint with a valid username and email pair. The endpoint also leaks valid credentials through response code differentials (200 vs 409), enabling username/email enumeration before the reset. No public exploit identified at time of analysis, though a detailed PoC is published in the GHSA advisory.
Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. The vendor was notified via a GitHub issue report but has not responded, leaving all affected versions unpatched at time of analysis.
Unauthenticated information disclosure in the Intelbras VIP-1230-D-G4 Wi-Fi dome IP camera (firmware V2.800.00IB00C.0.T) exposes sensitive data through the password reset endpoint at /OutsideCmd. Remote, unauthenticated attackers can query this endpoint directly over the network to retrieve sensitive information - likely credentials or reset tokens - without any prior authentication or user interaction. Publicly available exploit code exists on GitHub (kensh1k/CVE-2026-36438), lowering the bar for exploitation; no CISA KEV listing has been confirmed at time of analysis.
LatePoint plugin for WordPress versions up to 5.5.0 allows unauthenticated attackers to perform account takeover of non-super-admin WordPress users by exploiting a weak password recovery mechanism in the guest booking flow. The vulnerability chains two flaws: the plugin's save_connected_wordpress_user() function updates WordPress user emails via wp_update_user() without ownership verification, and the guest booking flow permits email overwrites through phone-based customer merging without authentication. Attackers can overwrite a target user's email address and then trigger WordPress's standard password reset to gain full account access. No public exploit code has been identified at time of analysis, but exploitation requires only that the plugin be configured with WordPress user integration enabled, phone-based contact merging enabled, and customer authentication disabled.
Password reset bypass in Gambio GX4 e-commerce platform allows remote unauthenticated attackers to set arbitrary passwords for any user account when the account ID is known, leading to complete account takeover. Affects versions 4.0.0.0 through 4.9.2.0, patched in February 2024 security update (2024-02 v1.0.0). SSVC framework rates this as automatable with total technical impact despite EPSS score of 0.02%, indicating high severity for targeted attacks against Gambio installations. No active exploitation confirmed via CISA KEV, but authentication bypass primitives are frequently weaponized in e-commerce platforms.
Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.
Host header injection in phpBB versions 3.0.0 through 3.3.15 enables password reset link poisoning when force_server_vars is disabled. Attackers manipulating HTTP Host headers can redirect password reset links to attacker-controlled domains, enabling credential theft and account takeover. CVSS 8.1 with network vector and no authentication required, though EPSS exploitation probability is low (0.02%, 4th percentile), suggesting limited observed exploitation activity. Vendor-released fix available in phpBB 3.3.16.
Weak password recovery in D-Link M60 up to version 1.20B02 allows remote attackers to compromise device authentication through manipulation of the /usr/bin/httpd binary, requiring high attack complexity but with publicly disclosed exploit code available. The vulnerability enables information disclosure and potential unauthorized access to device management functions despite the low CVSS score of 2.9 reflecting limited confidentiality impact.
Password reset tokens in blueprintUE self-hosted edition remain valid indefinitely, allowing attackers who intercept a reset link to compromise accounts at any future time. The vulnerability affects all versions prior to 4.2.0. While exploitation requires initial interception of a password reset token (AC:H), successful exploitation grants persistent unauthorized access with high confidentiality and integrity impact but no availability impact (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, score 7.4). No active exploitation, KEV listing, or public POC identified at time of analysis.
Account takeover in OpenAEV cyber adversary simulation platform (versions 1.0.0 through 2.0.12) allows remote unauthenticated attackers to reset any user's password via non-expiring 8-digit reset tokens. By mass-generating tokens (which never expire) and brute-forcing the small token space, attackers can reliably compromise administrator accounts within minutes, leading to full platform compromise including modification of payloads executed on all agent-deployed hosts. EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor-released patch available in version 2.0.13.