CVE-2026-48902

CVE-2026-48902 affects Joomla! Core. The password/username reset features generate plain http links for https connections when Force SSL is not explicitly enabled, enabling possible credential exposure via downgraded transport. The issue is documented across multiple feeds (e.g., JOOMLA-1050) and...

PT-2026-41155

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0 Description The password reset flow in the resetRequest route of the modules/@apostrophecms/login/index.js component constructs the reset URL using req.hostname. When apos.baseUrl is not explicitly...

Weak Password Recovery Mechanism for Forgotten Password

Overview phpbb/phpbb is a Forum Software application. Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the forceservervars configuration being disabled. An attacker can cause password reset emails to contain links to attacker-controll...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

CVE-2026-29199

phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When forceservervars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Hos...

CVE-2026-29199

CVE-2026-29199 affects phpBB prior to 3.3.16. The issue is a Host Header Injection in which, when force_server_vars is disabled, the server hostname is sourced from the HTTP Host header to build the password reset URL. An attacker who can control or influence the Host header can cause password re...

PT-2026-36770

Name of the Vulnerable Software and Affected Versions phpBB versions prior to 3.3.16 Description Host Header Injection occurs when force server vars is disabled, allowing the server's hostname to be extracted from the HTTP Host header to generate password reset link URLs. An attacker capable of...

EUVD-2026-25291

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the password reset functionality on cloud.flowiseai.com sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle...

Host Header Injection

github.com/zitadel/zitadel is vulnerable to Host Header Injection. The vulnerability is due to improper validation of the Forwarded or X-Forwarded-Host headers when generating password reset links, which allows an attacker to manipulate the link to a malicious domain and capture the reset code,...

CVE-2026-33417 Wallos: Password Reset Tokens Never Expire

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The passwordresets table includes a createdat timestamp column, but the token validation logic never checks it. A password reset token remains valid...

CVE-2025-69240

Raytha CMS allows an attacker to spoof X-Forwarded-Host or Host headers to attacker controlled domain. The attacker who knows the victim's email address can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser...

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/effect is an Effect-TS Utilities for Astro Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by generating a password...

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by generating a...

Authorization Bypass Through User-Controlled Key

Overview @studiocms/s3-storage is an Add S3 Storage Support into your StudioCMS project. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by...

Authorization Bypass Through User-Controlled Key

Overview studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to...

GHSA-H7VR-CG25-JF8C StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation

Summary The POST /studiocmsapi/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor doe...

PT-2026-24820

Summary The POST /studiocms api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor do...

CVE-2026-29067

ZITADEL (open source identity platform) has a CVE-2026-29067 vulnerability affecting the login V2 password reset flow in versions 4.0.0-rc.1 through 4.7.0. The issue arises from constructing the password reset URL using the Forwarded or X-Forwarded-Host header, which can enable an attacker to inf...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the forgot password process. An attacker can gain unauthorized access to user accounts by manipulating the Host header to injecting custom domains into the password reset link sent to users...

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the forgot password process. An attacker can gain unauthorized access to user accounts by manipulating the Host header to injecting custom domains into the password reset link sent to users...