Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. The vendor was notified via a GitHub issue report but has not responded, leaving all affected versions unpatched at time of analysis.
Technical ContextAI
FoxCMS is a PHP-based content management system maintained by QianFox and hosted at https://github.com/QianFox/FoxCMS/. The vulnerability resides in the Edit function within Admin.php, a file associated with administrative backend operations. CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) describes flaws in account recovery flows - common manifestations include predictable or reusable recovery tokens, insufficient token expiry, lack of rate limiting on recovery attempts, or insecure transmission of recovery credentials. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) confirms the flaw is reachable over a network with low attack complexity and no additional prerequisites beyond high privilege access, placing the vulnerable surface firmly within the authenticated administrative interface of the CMS. Tags of PHP and Information Disclosure align with a scenario where recovery token or credential data may be disclosed through this mechanism.
RemediationAI
No vendor-released patch has been identified at time of analysis - the vendor received responsible disclosure via GitHub issue at https://github.com/QianFox/FoxCMS/issues/3 and has not responded. As the primary compensating control, restrict network access to the FoxCMS administrative panel (Admin.php) to explicitly allowlisted trusted IP addresses using firewall rules or web server access control directives (e.g., Apache 'Require ip' or nginx 'allow/deny' blocks); this directly addresses the AV:N vector and prevents remote attackers from reaching the vulnerable endpoint. Additionally, enforce strong and unique administrator passwords across all accounts, which reduces the exploitability of any credential-recovery weakness. Organizations should monitor the upstream repository at https://github.com/QianFox/FoxCMS/ for any forthcoming patch releases and evaluate whether the lack of vendor responsiveness warrants migrating to an actively maintained CMS. Note that IP allowlisting may disrupt legitimate remote administration workflows and requires coordination with teams that manage the CMS remotely.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32029
GHSA-8w64-6cpx-85ph