CVE-2026-47181

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-943CWE-20

Related Identifiers

CVE-2026-47181

Affected Products

Penguinmod-Backendapi

CVE-2026-47181

Weakness Enumeration

Related Identifiers

Affected Products

References · 2