CVE-2026-12066
HighCVSS 7.3Summary
A security flaw has been discovered in PbootCMS up to version 3.2.12 in the retrieve function of the file apps/home/controller/MemberController.php of the Password Handler component. Manipulation of the arguments username/password/email/checkcode results in weak password recovery.
Risk Assessment
This vulnerability allows for remote attacks, potentially leading to unauthorized access to user accounts. The publicly released exploit increases the risk of this vulnerability being exploited.
Recommendation
It is recommended to update PbootCMS to the latest version to mitigate this vulnerability. Additionally, implementing extra security measures in the password recovery process is advisable.
Original NVD description (English source)
A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

