CVE-2026-26273
published 2026-02-13CVE-2026-26273: Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks…
PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
49.0th percentile
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| idno | known | < 1.6.3 | 1.6.3 |
| idno | known | >= 0 < 1.6.3 | 1.6.3 |
| withknown | known | < 1.6.3 | 1.6.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →The password reset token is leaked in a hidden HTML input field on the password reset page; monitor HTTP responses from the password reset endpoint for hidden input fields containing token values accessible without authentication. ↗
- →An unauthenticated attacker only needs to supply a victim's email address to the password reset page to retrieve the reset token; detect unauthenticated GET/POST requests to the password reset endpoint that include an email parameter but originate from non-owner IPs, especially in bulk/automated patterns. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Known affected by Account Takeover via Password Reset Token Leakage
osv·2026-02-13
CVE-2026-26273 [CRITICAL] Known affected by Account Takeover via Password Reset Token Leakage
Known affected by Account Takeover via Password Reset Token Leakage
### Summary
A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.
### Details
The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.
Specifically, the sensitive token is embedded i
GHSA
Known affected by Account Takeover via Password Reset Token Leakage
ghsa·2026-02-13
CVE-2026-26273 [CRITICAL] CWE-200 Known affected by Account Takeover via Password Reset Token Leakage
Known affected by Account Takeover via Password Reset Token Leakage
### Summary
A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.
### Details
The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.
Specifically, the sensitive token is embedded i
No detection rules found.
No public exploits indexed.
2026-02-13
Published