CVE-2026-3186

LOW EPSS 12.7%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use of default password. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.3.3-beta addresses this issue. Patch name: aefaabfd7527188bfba3c8c9eee17c316d094802. It is suggested to upgrade the affected component. The project was informed beforehand and acted very professional: "We have added authorization validation to the password reset interface; now only users with the corresponding permissions are allowed to perform password resets."

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
12.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1393

Affected Products 15

VendorProductVersionRange
szadminsz-boot-parent* ≤0.9.0
szadminsz-boot-parent1.0.0any
szadminsz-boot-parent1.0.1any
szadminsz-boot-parent1.0.2any
szadminsz-boot-parent1.1.0any
szadminsz-boot-parent1.2.0any
szadminsz-boot-parent1.2.1any
szadminsz-boot-parent1.2.2any
szadminsz-boot-parent1.2.3any
szadminsz-boot-parent1.2.4any
szadminsz-boot-parent1.2.5any
szadminsz-boot-parent1.2.6any
szadminsz-boot-parent1.3.0any
szadminsz-boot-parent1.3.1any
szadminsz-boot-parent1.3.2any

References 7

  • github.com https://github.com/feiyuchuixue/sz-boot-parent/
    Product
  • github.com https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
    Patch
  • github.com https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta
    Release Notes
  • github.com https://github.com/yuccun/CVE/blob/main/sz-boot-parent-VPE_Unauthorized_Password_Reset.md
    ExploitThird Party Advisory
  • vuldb.com https://vuldb.com/?ctiid.347744
    Permissions RequiredThird Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?id.347744
    Third Party AdvisoryVDB Entry
  • vuldb.com https://vuldb.com/?submit.754037
    Third Party AdvisoryVDB Entry

Remediation

  • github.com https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9eee17c316d094802
    Patch