CVE-2026-12066 MEDIUM

CVE-2026-12066: PbootCMS Password MemberController.php retrieve password recovery

Vendor N/A
Product PbootCMS
Weakness CWE-640 · Weak password recovery
Published June 12, 2026
Last update June 12, 2026
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

Description

A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Key dates

Disclosure timeline

June 12, 2026 CVE published
June 12, 2026 Record updated