Total
262 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-55030 | 1 Mozilla | 1 Firefox | 2026-04-13 | N/A | 6.1 MEDIUM |
| Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks. This vulnerability was fixed in Firefox for iOS 142. | |||||
| CVE-2023-7264 | 1 Buildapp | 1 Build App Online | 2026-04-08 | N/A | 8.1 HIGH |
| The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.22. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code. | |||||
| CVE-2023-4214 | 1 Apppresser | 1 Apppresser | 2026-04-08 | N/A | 8.1 HIGH |
| The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. | |||||
| CVE-2026-25858 | 1 Macrozheng | 1 Mall | 2026-04-07 | N/A | 9.1 CRITICAL |
| macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. | |||||
| CVE-2026-32865 | 1 Opexustech | 1 Ecase Ecomplaint | 2026-03-30 | N/A | 9.8 CRITICAL |
| OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process. | |||||
| CVE-2026-32103 | 1 Studiocms | 1 Studiocms | 2026-03-17 | N/A | 6.8 MEDIUM |
| StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3. | |||||
| CVE-2026-28268 | 1 Vikunja | 1 Vikunja | 2026-03-06 | N/A | 9.8 CRITICAL |
| Vikunja is an open-source self-hosted task management platform. Versions prior to 2.1.0 have a business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid forever. This allows an attacker who intercepts a single reset token (via logs, browser history, or phishing) to perform a complete, persistent account takeover at any point in the future, bypassing standard authentication controls. Version 2.1.0 contains a patch for the issue. | |||||
| CVE-2026-28213 | 1 Evershop | 1 Evershop | 2026-02-28 | N/A | 9.8 CRITICAL |
| EverShop is a TypeScript-first eCommerce platform. Versions prior to 2.1.1 have a vulnerability in the "Forgot Password" functionality. When specifying a target email address, the API response returns the password reset token. This allows an attacker to take over the associated account. Version 2.1.1 fixes the issue. | |||||
| CVE-2026-27593 | 1 Statamic | 1 Statamic | 2026-02-25 | N/A | 9.3 CRITICAL |
| Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 6.3.3 and 5.73.10, an attacker may leverage a vulnerability in the password reset feature to capture a user's token and reset the password on their behalf. The attacker must know the email address of a valid account on the site, and the actual user must blindly click the link in their email even though they didn't request the reset. This has been fixed in 6.3.3 and 5.73.10. | |||||
| CVE-2025-64113 | 1 Emby | 1 Emby | 2026-02-24 | N/A | 9.8 CRITICAL |
| Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81. | |||||
| CVE-2020-37158 | 1 Wwbn | 1 Avideo | 2026-02-20 | N/A | 5.3 MEDIUM |
| AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication. | |||||
| CVE-2026-26273 | 1 Withknown | 1 Known | 2026-02-18 | N/A | 9.8 CRITICAL |
| Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3. | |||||
| CVE-2020-37172 | 1 Wwbn | 1 Avideo | 2026-02-18 | N/A | 5.3 MEDIUM |
| AVideo Platform 8.1 contains a cross-site request forgery vulnerability that allows attackers to reset user passwords by exploiting the password recovery mechanism. Attackers can craft malicious requests to the recoverPass endpoint using the user's recovery token to change account credentials without authentication. | |||||
| CVE-2022-50910 | 1 Beehiveforum | 1 Beehive Forum | 2026-02-02 | N/A | 9.8 CRITICAL |
| Beehive Forum 1.5.2 contains a host header injection vulnerability in the forgot password functionality that allows attackers to manipulate password reset requests. Attackers can inject a malicious host header to intercept password reset tokens and change victim account passwords without direct authentication. | |||||
| CVE-2026-1325 | 1 Sangfor | 1 Operation And Maintenance Security Management System | 2026-01-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-63314 | 1 Ddsn | 1 Cm3 Acora Cms | 2026-01-22 | N/A | 10.0 CRITICAL |
| A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack. | |||||
| CVE-2025-52560 | 1 Kanboard | 1 Kanboard | 2026-01-13 | N/A | 8.1 HIGH |
| Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set. This issue has been patched in version 1.2.46. | |||||
| CVE-2025-6097 | 1 Utt | 2 750w, 750w Firmware | 2026-01-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in UTT 进取 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-65203 | 1 Keepassxc | 1 Keepassxc-browser | 2026-01-05 | N/A | 7.1 HIGH |
| KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to access populated form fields and exfiltrate credentials. | |||||
| CVE-2025-50433 | 1 Monnit | 1 Imonnit | 2025-12-29 | N/A | 9.8 CRITICAL |
| An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts. | |||||