FILTERING BY: CLEAR FILTER

Critical Authentication Bypass via Weak Password Recovery in PbootCMS

CVE-2026-12066 is a critical vulnerability in the PbootCMS password recovery module that enables unauthenticated remote attackers to achieve administrative access. The flaw stems from improper authentication (CWE-287) or the use of insufficiently random values (CWE-330) during the password reset process. By exploiting predictable reset tokens or manipulating parameters within the recovery endpoint via HTTP/HTTPS, an attacker can bypass standard authentication protocols. Successful exploitation grants full control over the CMS, facilitating unauthorized data access, site defacement, or lateral movement through potential Remote Code Execution (RCE) escalation. Immediate patching and the implementation of cryptographically secure token generation are required to mitigate this critical risk.


LINK COPIED TO CLIPBOARD