CVE-2026-26273 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.
The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.
Specifically, the sensitive token is embedded in: <input type="hidden" name="code" value="[SECRET_TOKEN]">
Because this page is accessible via a GET request using the victim's email as a parameter, an attacker can programmatically extract the token.
The attacker makes the following curl command on the terminal using the victim's email, and is able to get the code that was sent as an hidden field in the HTML.
<img width="917" height="220" alt="image(2)" src="https://github.com/user-attachments/assets/af89ba3b-de56-4437-84b3-c1feb56d2348" />With this code, the attacker is able to use it in order to reset the victim password.
<img width="1335" height="711" alt="image(3)" src="https://github.com/user-attachments/assets/498b8a2e-9eb2-4b50-bc35-26b0f2764c8d" />Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.