Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-9msv-tm48-8fb4 |
|---|
| Summary | Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3. |
|---|
| Aliases |
| 0 |
|
| 1 |
| alias |
GHSA-78wq-6gcv-w28r |
|
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-26273 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00329 |
| scoring_system |
epss |
| scoring_elements |
0.56341 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00329 |
| scoring_system |
epss |
| scoring_elements |
0.5633 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00329 |
| scoring_system |
epss |
| scoring_elements |
0.56327 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00329 |
| scoring_system |
epss |
| scoring_elements |
0.56207 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-26273 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/idno/known/releases/tag/1.6.3 |
| reference_id |
1.6.3 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-17T20:00:43Z/ |
|
|
| url |
https://github.com/idno/known/releases/tag/1.6.3 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
200 |
| name |
Exposure of Sensitive Information to an Unauthorized Actor |
| description |
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
|
| 1 |
| cwe_id |
640 |
| name |
Weak Password Recovery Mechanism for Forgotten Password |
| description |
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
|
| 2 |
| cwe_id |
937 |
| name |
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities |
| description |
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013. |
|
| 3 |
| cwe_id |
1035 |
| name |
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities |
| description |
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 9.0 - 10.0 |
|---|
| Exploitability | 0.5 |
|---|
| Weighted_severity | 9.0 |
|---|
| Risk_score | 4.5 |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-9msv-tm48-8fb4 |
|---|