CVE-2026-30458 - Vulnerability Details

Description

An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.

Published: 2026-03-26

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An issue in Daylight Studio FuelCMS v1.5.2 permits attackers to extract users’ password reset tokens through an email splitting technique. The vulnerability allows malicious actors to obtain tokens that would normally be protected, thereby enabling them to reset passwords without authorization. This directly undermines confidentiality and integrity of user accounts, posing a high risk of compromise.

Affected Systems

The affected system is Daylight Studio’s FuelCMS, specifically version 1.5.2. Users running this version of the CMS are exposed, regardless of deployment environment, because the flaw resides in the core token management feature.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating critical severity, while the EPSS score is below 1 percent, suggesting a low current exploitation probability. It is not listed in the CISA KEV catalog. The vulnerability can be leveraged remotely by sending crafted requests that manipulate the email handling logic to trigger token exfiltration, implying that users who receive such requests may be at immediate risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Daylightstudio

Fuel Cms

80%

Version	Status	Scheme	Platform
`1.5.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest FuelCMS update that addresses the token handling issue if an update is available.
If no patch is available, disable the password reset functionality until a fix is released.
Monitor authentication logs for anomalous reset requests or unusual token usage patterns.
Implement network or application layer controls to block suspicious email requests that could trigger the flaw.

Generated by OpenCVE AI on March 30, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
http://daylight.com
http://fuelcms.com
https://github.com/daylightstudio/FUEL-CMS
https://pentest-tools.com/PTT-2025-025-Account-Takeover-via-Email-Array.pdf

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title	Account Takeover via Email Splitting: Exfiltration of Password Reset Tokens in Daylight Studio FuelCMS v1.5.2

Mon, 30 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thedaylightstudio Thedaylightstudio fuel Cms
CPEs		cpe:2.3:a:thedaylightstudio:fuel_cms:1.5.2:::::::*
Vendors & Products		Thedaylightstudio Thedaylightstudio fuel Cms

Sun, 29 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Account Takeover via Email Splitting: Exfiltration of Password Reset Tokens in Daylight Studio FuelCMS v1.5.2

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-620
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title	Password Reset Token Exfiltration via Mail Splitting in FuelCMS
Weaknesses	CWE-200

Fri, 27 Mar 2026 09:30:00 +0000

Type	Values Removed	Values Added
Title		Password Reset Token Exfiltration via Mail Splitting in FuelCMS
Weaknesses		CWE-200

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Daylightstudio Daylightstudio fuel Cms
Vendors & Products		Daylightstudio Daylightstudio fuel Cms

Thu, 26 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		An issue in Daylight Studio FuelCMS v1.5.2 allows attackers to exfiltrate users' password reset tokens via a mail splitting attack.
References		http://daylight.com http://fuelcms.com https://github.com/daylightstudio/FUEL-CMS https://pentest-tools.com/PTT-2025-025-Account-Takeover-via-Email-Array.pdf

Subscriptions

Daylightstudio Fuel Cms

Thedaylightstudio Fuel Cms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-26T00:00:00.000Z

Updated: 2026-03-28T02:03:09.642Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30458

Vulnrichment

Updated: 2026-03-28T02:03:05.237Z

NVD

Status : Analyzed

Published: 2026-03-26T19:17:00.050

Modified: 2026-03-30T14:11:49.907

Link: CVE-2026-30458

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:57:48Z

Weaknesses

CWE-620

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object