Skip to main content

Penguinmod Backendapi

1 CVEs product

Monthly

CVE-2026-47181 HIGH PATCH This Week

Account takeover in PenguinMod-BackendApi versions prior to 1.0.0 allows any authenticated user holding a valid password reset token for their own account to change the password of any other account via a NoSQL injection flaw in the password reset endpoint. The issue is tracked as CWE-20 (improper input validation) and tagged as Code Injection; no public exploit identified at time of analysis, but a vendor security advisory (GHSA-wwwc-jwrc-3pj8) has been published.

Code Injection Penguinmod Backendapi
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Account takeover in PenguinMod-BackendApi versions prior to 1.0.0 allows any authenticated user holding a valid password reset token for their own account to change the password of any other account via a NoSQL injection flaw in the password reset endpoint. The issue is tracked as CWE-20 (improper input validation) and tagged as Code Injection; no public exploit identified at time of analysis, but a vendor security advisory (GHSA-wwwc-jwrc-3pj8) has been published.

Code Injection Penguinmod Backendapi
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy