CVE-2026-26273
NONE EPSS 49.0%
Published Feb 13, 20264mo ago · Modified Jun 17, 20262w ago
Published Feb 13, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago
Description
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Threat Intelligence
EPSS Exploit Probability
49.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 2
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-640
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| withknown | known | * | <1.6.3 |
References 3
- github.com https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a
- github.com https://github.com/idno/known/releases/tag/1.6.3
- github.com https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r
Remediation
- github.com https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a