Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable reset endpoint (AV:N), trivial payload (AC:L), any registered user suffices (PR:L), no victim interaction (UI:N); compromise of other accounts is a scope change (S:C) with high C/I and limited A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.
AnalysisAI
Account takeover in PenguinMod-BackendApi versions prior to 1.0.0 allows any authenticated user holding a valid password reset token for their own account to change the password of any other account via a NoSQL injection flaw in the password reset endpoint. The issue is tracked as CWE-20 (improper input validation) and tagged as Code Injection; no public exploit identified at time of analysis, but a vendor security advisory (GHSA-wwwc-jwrc-3pj8) has been published.
Technical ContextAI
PenguinMod-BackendApi is the Node.js-style backend API powering the PenguinMod platform (CPE cpe:2.3:a:penguinmod:penguinmod-backendapi). The root cause is CWE-20 improper input validation in the password reset handler: the endpoint forwards user-controlled JSON into a NoSQL query (typically MongoDB) without strict type checking, so an attacker can substitute query-operator objects (e.g., {"$ne": null}, {"$gt": ""}) where a scalar identifier or token is expected. The query then matches records other than the attacker's, letting the password update affect arbitrary accounts. This pattern is the canonical NoSQL injection variant against MongoDB document filters and is classified here under Code Injection.
RemediationAI
Vendor-released patch: PenguinMod-BackendApi 1.0.0 - upgrade immediately per advisory GHSA-wwwc-jwrc-3pj8 (https://github.com/PenguinMod/PenguinMod-BackendApi/security/advisories/GHSA-wwwc-jwrc-3pj8). If an emergency upgrade is not possible, operators should disable the password reset endpoint at the reverse proxy or feature-flag level (side effect: legitimate users cannot self-recover and will require manual operator resets), enforce strict JSON schema/type validation on reset-token and identifier fields at an API gateway or WAF to reject any value that is not a primitive string (side effect: requires custom rule tuning and risks false positives on legitimate clients), and invalidate all outstanding reset tokens plus rotate session secrets after upgrade to evict any attacker who may have pre-positioned tokens.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36292