ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset reques

A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (r

A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remo

CVE-2026-10169 影响 OUSL-GROUP-BrinaryBrains 开发的学校学生管理系统（截至 commit 1e70e5ad1125b86dca4ee086eb6bb121f17708b6）。漏洞位于 application/controllers/Login.php 文件中的 ajax_forgot_password 函数（Forgot Password 端点），通过操纵 email 参数可导致弱密码恢复机制。攻击复杂度高（CVSS v3.1 评分 3.7），但攻击者无需认证即可远程利用。目前漏洞利用代码已公开，厂商已知情但未回应。由于该产品未使用版本控制，无法确定受影响的确切版本号。建议安全团队限制 Forgot Password 端点的网络暴露，并实施额外的验证措施（如 CAPTCHA、速率限制）。

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and doe

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and doe

A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

### Summary An authentication bypass vulnerability in phpMyFAQ allows any unauthenticated attacker to reset the password of any user account, including SuperAdmin accounts. By sending a PUT request with just a valid username and associated email address to /api/user/password/update, an attacker receives a new plaintext password via email without any token verification, rate limiting, or email conf

### Summary The password reset API can be triggered without authentication and without any out-of-band confirmation step. If an attacker knows a valid `username + email` pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and only then sends the new password by email. This creates two issues at the same time: - accoun

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined

LatePoint WordPress插件至5.5.0版本存在账户接管漏洞。漏洞源于未认证的访客预订流程中，save_connected_wordpress_user()函数通过wp_update_user()将LatePoint客户的电子邮件传播到关联的WordPress用户账户时，缺乏所有权验证。结合访客预订流程可在不认证的情况下通过基于电话的合并覆盖现有客户的电子邮件，使得未认证攻击者能够覆盖未关联LatePoint客户的非超级管理员WordPress用户账户的电子邮件地址。随后攻击者可触发标准WordPress密码重置流程，将重置链接发送至攻击者控制的邮箱，从而实现完全账户接管。此漏洞影响启用了WordPress用户集成、基于电话的联系合并以及禁用客户认证的配置。单站点安装的管理员账户不受影响。CVSS评分5.3（中等）。建议升级到修复版本；临时缓解措施包括禁用电话合并功能或启用客户认证。

## Summary The `ApplyXForwarded` middleware unconditionally trusts the client-supplied `X-Forwarded-Host` HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. T

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can ca

A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.