PT-2026-34022

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password reset at timestamp. However, the token redemption function findUserIDFromEmailAndToken queries only for a matching...

PT-2026-21809

Name of the Vulnerable Software and Affected Versions Statmatic versions prior to 6.3.3 Statmatic versions prior to 5.73.10 Description An attacker can exploit a flaw in the password reset functionality to obtain a user's token and subsequently reset their password. The attacker requires the emai...

CVE-2021-33321

Insecure default configuration in Liferay Portal 6.2.3 through 7.3.2, and Liferay DXP before 7.3, allows remote attackers to enumerate user email address via the forgot password functionality. The portal.property login.secure.forgot.password should be defaulted to true...

CVE-2019-16303

A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness apache.commons.lang3 RandomStringUtils. This allows an attacker if able to obtain their own password reset URL to compute the value for all other...

EUVD-2012-5504

Malware in sbrugna...

EUVD-2021-28990

Malicious code in bioql PyPI...

EUVD-2022-29791

Malicious code in bioql PyPI...

CVE-2025-2171

CVE-2025-2171 affects Aviatrix Controller. The issue is a failure to enforce rate limiting on password reset attempts, allowing brute‑force guessing of the 6‑digit reset PIN. Affected versions are Aviatrix Controller before 7.1.4208, 7.2.5090, and 8.0.0. Public sources in the connected documents ...

CVE-2025-2171

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN...

CVE-2022-24744

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3...

CVE-2022-27978

Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request...

CVE-2021-29023

InvoicePlane 1.5.11 doesn't have any rate-limiting for password reset and the reset token is generated using a weak mechanism that is predictable...

CVE-2021-21395

Magneto LTS Long Term Support is a community developed alternative to the Magento CE official releases. Versions prior to 19.4.22 and 20.0.19 are vulnerable to Cross-Site Request Forgery. The password reset form is vulnerable to CSRF between the time the reset password link is clicked and user...

CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected

NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until...

CVE-2023-28821

Concrete CMS previously concrete5 before 9.1 did not have a rate limit for password resets...

CVE-2023-31286

An issue was discovered in Serenity Serene and StartSharp before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist...

Default credentials

An attacker can access to "Forgot my password" button, as soon as he puts users is valid in the system, the system would issue a message that a password reset email had been sent to user. This way you can verify which users are in the system and which are not...

PT-2020-17384 · Bigprof · Bigprof Online Invoicing System

Name of the Vulnerable Software and Affected Versions: BigProf Online Invoicing System versions prior to 2.9 Description: The issue is related to an unauthenticated SQL Injection in the /membership passwordReset.php endpoint, which is used for self-service password resets. An attacker can send a...