CVE-2026-30459

Published: Apr 16, 2026 Last Modified: Apr 16, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,1

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: low

Integrity: high

Availability: none

Description

AI Translation Available

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.

640

Weak Password Recovery Mechanism for Forgotten Password

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Availability Integrity Other

Potential Impacts:

Gain Privileges Or Assume Identity Dos: Resource Consumption (Other) Other

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

http://daylight.com

http://fuelcms.com

https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel…

https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/contro…

https://pentest-tools.com/PTT-2025-029-Password-Reset-Poiso…

https://pentest-tools.com/PTT-2025-029-Password-Reset-Poisoning-via-Host-Header…

CVE-2026-30459

Description

Weak Password Recovery Mechanism for Forgotten Password

Common Consequences

Applicable Platforms

Iscriviti alla newsletter