CVE-2026-44987

Name of the Vulnerable Software and Affected Versions SysReptor versions prior to 2026.29

Description Users with "User Admin" permissions can modify the email addresses of users with "Superuser" permissions. When the "Forgot Password" functionality is enabled, these users can reset Superuser passwords and authenticate, provided the Superuser does not have multi-factor authentication (MFA) enabled. This allows unauthorized access to the Django backend endpoint "/admin" or the ability to manipulate installation settings.

Recommendations Update to version 2026.29.