Description
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Published: 2026-02-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Full Account Takeover via leaked password reset token
Action: Immediate Patch
AI Analysis

Impact

Prior to version 1.6.3, Known exposes password reset tokens through a hidden input field on the reset page. An attacker who can identify a target's email address can request a reset and read the token embedded in the response. With this token the attacker can reset the account password and later log in as that user. The flaw is a classic data exposure combined with credential management weakness, allowing full compromise of the account without needing access to the victim’s email.

Affected Systems

The affected platform is the social‑publishing application Known, maintained by withknown. Any installation running Known 1.6.2 or earlier is susceptible. The patch that fixes the issue is released as version 1.6.3 and onward. No other vendors have been listed in the impact data.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating a critical severity. The EPSS score is below one percent, so the likelihood of exploitation is currently low, but the low effort and high impact mean that it remains a priority for mitigation. Known is not yet listed in the CISA KEV catalog, but the high exposure ratings call for fast action. Attackers can exploit the flaw over the public web interface, requiring only an email address for the target.

Generated by OpenCVE AI on April 17, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Known to version 1.6.3 or newer, which removes the hidden input and properly protects reset tokens.
  • If an upgrade is not immediately possible, temporarily disable the password reset or password‑reset endpoint for all users until the patch is applied. This stops leaked tokens from being generated while the website remains functional for authenticated users.
  • In the interim, restrict password reset requests to throttled or verified requests, and consider adding multi‑factor authentication to the reset flow to reduce the risk of unattended resets.

Generated by OpenCVE AI on April 17, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-78wq-6gcv-w28r Known affected by Account Takeover via Password Reset Token Leakage
History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Withknown
Withknown known
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:withknown:known:*:*:*:*:*:*:*:*
Vendors & Products Withknown
Withknown known

Tue, 17 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Idno
Idno known
Vendors & Products Idno
Idno known

Fri, 13 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Title Known affected by Account Takeover via Password Reset Token Leakage
Weaknesses CWE-200
CWE-640
References
Metrics cvssV3_0

{'score': 9.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Idno Known
Withknown Known
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-17T20:00:54.355Z

Reserved: 2026-02-12T17:10:53.413Z

Link: CVE-2026-26273

cve-icon Vulnrichment

Updated: 2026-02-17T20:00:47.600Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-13T22:16:11.330

Modified: 2026-02-18T21:01:56.787

Link: CVE-2026-26273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses