CVE Catalog

CVE-2026-47181

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile - higher than 16% of all known CVEs

Summary

In PenguinMod-BackendApi prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account.

Risk Assessment

This vulnerability poses a serious risk of account takeover by unauthorized users, potentially leading to data loss and privacy breaches. Organizations should be aware that any authenticated user can exploit this flaw.

Recommendation

It is recommended to upgrade to version 1.0.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of user accounts to detect potential breaches is advisable.

Original NVD description (English source)

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS