CWE-640— Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.— MITRE CWE catalog
264 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-640page 5 of 6
- CVE-2025-47646CRITICALCVSS 9.8EG 9.82025-05-23
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Regi…
- CVE-2025-4903MEDIUMCVSS 5.3EG 5.32025-05-19
A vulnerability, which was classified as critical, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). This affects the function sub_41F4F0 of the file /H5/webgl.asp?tggl_port=0&remote_management=0&http_passwd=game&exec_service=admin-resta…
- CVE-2025-50433CRITICALCVSS 9.8EG 9.82025-11-26
An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.
- CVE-2025-50503HIGHCVSS 8.8EG 8.82025-08-20
A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password …
- CVE-2025-50594CRITICALCVSS 9.8EG 9.82025-08-13
An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password.
- CVE-2025-52560HIGHCVSS 8.1EG 8.12025-06-24
Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configura…
- CVE-2025-53373HIGHCVSS 8.9EG 8.92025-07-07
Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit …
- CVE-2025-53704HIGHCVSS 7.5EG 7.52025-12-04
The password reset mechanism for the Pivot client application is weak, and it may allow an attacker to take over the account.
- CVE-2025-55030MEDIUMCVSS 6.1EG 6.12025-08-19
Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks. This vulnerability was fixed in Firefox for i…
- CVE-2025-56748MEDIUMCVSS 6.4EG 6.42025-10-15
Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templates without rate limiting, allowing brute force attacks to guess valid reset tokens and compromise user accounts.
- CVE-2025-6097CRITICALCVSS 9.8EG 5.32025-06-16
A vulnerability was found in UTT 进取 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation …
- CVE-2025-61977HIGHCVSS 7.0EG 7.02025-10-23
A weak password recovery mechanism for forgotten password vulnerability was discovered in Productivity Suite software version v4.4.1.19. The vulnerability allows an attacker to decrypt an encrypted project by answering just one recovery qu…
- CVE-2025-6216CRITICALCVSS 9.8EG 9.82025-06-21
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this v…
- CVE-2025-62406HIGHCVSS 8.8EG 8.12025-11-18
Piwigo is a full featured open source photo gallery application for the web. In Piwigo 15.6.0, using the password reset function allows sending a password-reset URL by entering an existing username or email address. However, the hostname u…
- CVE-2025-62709HIGHCVSS 8.8EG 6.82025-11-20
ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_ur…
- CVE-2025-63314CRITICALCVSS 10.0EG 10.02026-01-12
A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.
- CVE-2025-64101HIGHCVSS 8.8EG 8.12025-10-29
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming re…
- CVE-2025-64113CRITICALCVSS 9.8EG 9.82025-12-09
Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specif…
- CVE-2025-65203HIGHCVSS 7.1EG 7.12025-12-17
KeePassXC-Browser thru 1.9.9.2 autofills or prompts to fill stored credentials into documents rendered under a browser-enforced CSP directive and iframe attribute sandbox, allowing attacker-controlled script in the sandboxed document to ac…
- CVE-2025-66225HIGHCVSS 8.8EG 8.82025-11-29
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset proce…
- CVE-2025-69614CRITICALCVSS 9.4EG 9.42026-03-10
Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 20…
- CVE-2025-7881LOWCVSS 2.7EG 2.72025-07-20
A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak pa…
- CVE-2025-7948MEDIUMCVSS 6.5EG 4.32025-07-22
A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can b…
- CVE-2025-8855HIGHCVSS 8.1EG 8.12025-11-14
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Cl…
- CVE-2026-10169LOWCVSS 3.7EG 3.72026-05-31
A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controlle…
- CVE-2026-11551CRITICALCVSS 9.8EG 9.82026-06-20
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. …
- CVE-2026-12066HIGHCVSS 7.3EG 7.32026-06-12
A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument userna…
- CVE-2026-12416CRITICALCVSS 9.8EG 9.82026-06-24
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` function being registered as a nopriv AJAX h…
- CVE-2026-12417CRITICALCVSS 9.8EG 9.82026-06-24
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX hand…
- CVE-2026-13019CRITICALCVSS 9.8EG 9.82026-07-07
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
- CVE-2026-13020CRITICALCVSS 9.8EG 8.12026-07-07
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulati…
- CVE-2026-1325MEDIUMCVSS 5.3EG 5.32026-01-22
A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results …
- CVE-2026-15155HIGHCVSS 8.8EG 8.82026-07-11
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insuff…
- CVE-2026-24467CRITICALCVSS 9.0EG 9.02026-04-20
OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains …
- CVE-2026-2543LOWCVSS 2.7EG 2.72026-02-16
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverifie…
- CVE-2026-2564HIGHCVSS 8.1EG 8.12026-02-16
A security flaw has been discovered in Intelbras VIP 3260 Z IA 2.840.00IB005.0.T. Affected by this vulnerability is an unknown functionality of the file /OutsideCmd. The manipulation results in weak password recovery. It is possible to lau…
- CVE-2026-25858CRITICALCVSS 9.1EG 9.82026-02-07
macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone…
- CVE-2026-26273CRITICALCVSS 9.8EG 9.82026-02-13
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset …
- CVE-2026-2895LOWCVSS 3.7EG 3.72026-02-21
A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak pa…
- CVE-2026-29199HIGHCVSS 8.1EG 8.12026-05-04
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the pas…
- CVE-2026-30459HIGHCVSS 7.1EG 7.12026-04-16
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
- CVE-2026-33707CRITICALCVSS 9.4EG 9.42026-04-10
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a u…
- CVE-2026-34198MEDIUMCVSS 5.3EG 5.32026-07-07
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the TrustProxies middleware trusts all proxies ($proxies = '*'), accepting X-Forwarded-Host from any source. The T…
- CVE-2026-34408CRITICALCVSS 9.1EG 9.12026-05-05
An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.
- CVE-2026-34751CRITICALCVSS 9.1EG 9.12026-04-01
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on b…
- CVE-2026-35676HIGHCVSS 8.2EG 8.22026-05-20
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and …
- CVE-2026-36438MEDIUMCVSS 5.3EG 5.32026-05-18
An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd
- CVE-2026-37106CRITICALCVSS 9.8EG 9.82026-06-30
An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is …
- CVE-2026-40585HIGHCVSS 7.4EG 7.42026-04-21
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a password reset is initiated, a 128-character CSPRNG token is generated and stored alongside a password_reset_at timestamp. However, the token redemption functio…
- CVE-2026-4136MEDIUMCVSS 4.3EG 4.32026-03-20
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.2.24. This is due to insufficient validation on the redirect url supplied via the 'rcp_redirect' …
Map vulnerabilities like CWE-640 to your infrastructure
EchelonGraph correlates every CVE — across CWE-640 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →