CVE-2026-40588

Name of the Vulnerable Software and Affected Versions blueprintUE versions prior to 4.2.0

Description The password change form at '/profile/{slug}/edit/' does not include a current password field and fails to verify the user's existing password before accepting a new one. An attacker with a valid authenticated session can change the account password without knowing the original credential, leading to permanent account takeover.

Recommendations Update to version 4.2.0.