Skip to main content

FoxCMS EUVDEUVD-2026-32029

| CVE-2026-9609 LOW
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-27 cna@vuldb.com GHSA-8w64-6cpx-85ph
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:30 vuln.today

DescriptionCVE.org

A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Weak password recovery in QianFox FoxCMS versions 1.2.0 through 1.2.6 exposes the admin panel's account recovery flow to abuse by authenticated administrators via a remotely accessible network vector. Publicly available exploit code exists (CVSS E:P), though the requirement for high privileges (PR:H) substantially constrains real-world impact, corroborated by an EPSS score of just 0.03% (11th percentile) and no CISA KEV listing. The vendor was notified via a GitHub issue report but has not responded, leaving all affected versions unpatched at time of analysis.

Technical ContextAI

FoxCMS is a PHP-based content management system maintained by QianFox and hosted at https://github.com/QianFox/FoxCMS/. The vulnerability resides in the Edit function within Admin.php, a file associated with administrative backend operations. CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) describes flaws in account recovery flows - common manifestations include predictable or reusable recovery tokens, insufficient token expiry, lack of rate limiting on recovery attempts, or insecure transmission of recovery credentials. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N) confirms the flaw is reachable over a network with low attack complexity and no additional prerequisites beyond high privilege access, placing the vulnerable surface firmly within the authenticated administrative interface of the CMS. Tags of PHP and Information Disclosure align with a scenario where recovery token or credential data may be disclosed through this mechanism.

RemediationAI

No vendor-released patch has been identified at time of analysis - the vendor received responsible disclosure via GitHub issue at https://github.com/QianFox/FoxCMS/issues/3 and has not responded. As the primary compensating control, restrict network access to the FoxCMS administrative panel (Admin.php) to explicitly allowlisted trusted IP addresses using firewall rules or web server access control directives (e.g., Apache 'Require ip' or nginx 'allow/deny' blocks); this directly addresses the AV:N vector and prevents remote attackers from reaching the vulnerable endpoint. Additionally, enforce strong and unique administrator passwords across all accounts, which reduces the exploitability of any credential-recovery weakness. Organizations should monitor the upstream repository at https://github.com/QianFox/FoxCMS/ for any forthcoming patch releases and evaluate whether the lack of vendor responsiveness warrants migrating to an actively maintained CMS. Note that IP allowlisting may disrupt legitimate remote administration workflows and requires coordination with teams that manage the CMS remotely.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-32029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy