cbcvebase.
CVE-2026-26273
published 2026-02-13

CVE-2026-26273: Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
49.0th percentile
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
idnoknown< 1.6.31.6.3
idnoknown>= 0 < 1.6.31.6.3
withknownknown< 1.6.31.6.3

Detection & IOCsextracted from sources · hover to see the quote

  • The password reset token is leaked in a hidden HTML input field on the password reset page; monitor HTTP responses from the password reset endpoint for hidden input fields containing token values accessible without authentication.
  • An unauthenticated attacker only needs to supply a victim's email address to the password reset page to retrieve the reset token; detect unauthenticated GET/POST requests to the password reset endpoint that include an email parameter but originate from non-owner IPs, especially in bulk/automated patterns.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.