CVE-2026-47181
HighCVSS 8.7Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
In PenguinMod-BackendApi prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account.
Risk Assessment
This vulnerability poses a serious risk of account takeover by unauthorized users, potentially leading to data loss and privacy breaches. Organizations should be aware that any authenticated user can exploit this flaw.
Recommendation
It is recommended to upgrade to version 1.0.0 or later to mitigate this vulnerability. Additionally, conducting a security audit of user accounts to detect potential breaches is advisable.
Original NVD description (English source)
PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

