CVSS Score: 9.8 Published: 2026-02-13 Full Report: https://cvereports.com/reports/CVE-2026-26273
CVE-2026-26273 is a catastrophic logic flaw in the 'Known' social publishing platform that turns the password reset mechanism into an open buffet for attackers. By simply knowing a victim's email address, an unauthenticated attacker can trigger a password reset and then retrieve the secret recovery token directly from the application's HTML source code. This bypasses the email delivery requirement entirely, allowing for instant, silent, and full account takeover (ATO). Rated as Critical (CVSS 9.8), this vulnerability highlights the dangers of implicit trust in client-side requests and 'convenience' features that leak state.
A critical flaw in Known < 1.6.3 allows anyone to reset an admin password by simply inspecting the HTML source code. The application leaks the database-stored reset token into a hidden input field when visited with a target's email address.
- CWE ID: CWE-200 (Info Exposure)
- CVSS v3.0: 9.8 (Critical)
- Attack Vector: Network (Web)
- Privileges: None
- Impact: Full Account Takeover
- Patch Commit: 8439a0747471559fb1ea9f074b929d390f27e66a
- Known Social Publishing Platform < 1.6.3
- Known: < 1.6.3 (Fixed in:
1.6.3)
- Update to Known version 1.6.3 immediately.
- Restrict access to the /account/ path via WAF until patched.
- Audit logs for suspicious password reset activity followed by immediate logins from new IPs.
Remediation Steps:
- Navigate to your Known installation directory.
- Run
git pullto fetch the latest tags. - Checkout the release:
git checkout 1.6.3. - Alternatively, download the release zip from GitHub and overwrite the
Idnodirectory. - Verify the patch by checking
Idno/Pages/Account/Password/Reset.phpfor thehash_equalscheck.
Generated by CVEReports - Automated Vulnerability Intelligence