CVE-2026-30459

Name of the Vulnerable Software and Affected Versions Daylight Studio FuelCMS version 1.5.2

Description An issue in the Forgot Password feature allows unauthenticated attackers to obtain the password reset token of a victim user. The application fails to validate the Host header when constructing the password reset URL. An attacker can spoof this header and trigger a password reset request for a valid user email, causing the application to send a legitimate email containing a reset link that points to a server controlled by the attacker. When the victim clicks the link, the token is exfiltrated.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.