CVE-2026-26273

NONE EPSS 49.0%
Published Feb 13, 20264mo ago · Modified Jun 17, 20262w ago
Find Similar
Published Feb 13, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.

Threat Intelligence

EPSS Exploit Probability
49.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-640

Affected Products 1

VendorProductVersionRange
withknownknown* <1.6.3

References 3

  • github.com https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a
    Patch
  • github.com https://github.com/idno/known/releases/tag/1.6.3
    ProductRelease Notes
  • github.com https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a
    Patch