CVE-2026-26273CRITICAL 9.8EPSS p48.8%

CVE-2026-26273CVE-2026-26273

Description

Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.

Scoring

CVSS 3.09.8 (CRITICAL)
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.8% · 2026-06-18T12:00:27Z
Published2026-02-13
Last modified2026-02-18

Underlying weaknesses· 2

CWE-200CWE-640

References

  1. https://github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66a
  2. https://github.com/idno/known/releases/tag/1.6.3
  3. https://github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28r

2

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live
WeaknessWeak Password Recovery Mechanism for Forgotten Passwordcwe-6400%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-46657
CVE
CVE-2026-37982
CVE
CVE-2025-48986
CVE
CVE-2026-28213
CVE
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE
CVE-2026-4248
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.