Description
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
Published: 2026-04-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover through exposed password reset tokens
Action: Patch urgently
AI Analysis

Impact

An unauthorized attacker can obtain a valid password reset token for a user by placing a crafted link in an email that the victim receives. This flaw, classified as CWE‑640, is a user authentication weakness that allows the attacker to retrieve the token and subsequently reset the victim’s account password. The exposure enables a full compromise of user credentials, leading to loss of confidentiality, integrity, and availability of the victim’s account and any data protected by it.

Affected Systems

The vulnerability affects Daylight Studio FuelCMS version 1.5.2. No other vendors or product versions were identified as impacted.

Risk and Exploitability

The flaw can be exploited by any actor who can send a crafted link to a target’s inbox. The attacker does not need elevated privileges or special system access—simply delivering an email containing the forged link is sufficient. Because the reset token is exposed to the external author of the email, the attack can be performed in a low‑complexity manner. The vulnerability has a CVSS score of 7.1, an EPSS score is not available; it is not listed in the CISA KEV catalog. The attack vector is inferred to be email‑based, leveraging a lack of verification that the reset token originates from the legitimate user’s mailbox.

Generated by OpenCVE AI on April 17, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available FuelCMS release that addresses the password‑reset‑token exposure flaw.
  • If an immediate upgrade is unavailable, disable the password‑reset functionality for unauthenticated users until a patch is applied.
  • Implement email‑authentication mechanisms (SPF, DKIM, DMARC) to reduce the risk of forged messages containing malicious reset links.

Generated by OpenCVE AI on April 17, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Retrieval of Password Reset Tokens via Forged Email Links in FuelCMS

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Daylightstudio
Daylightstudio fuel Cms
Vendors & Products Daylightstudio
Daylightstudio fuel Cms

Thu, 16 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-640
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.
References

Subscriptions

Daylightstudio Fuel Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T15:16:57.348Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30459

cve-icon Vulnrichment

Updated: 2026-04-16T15:14:19.283Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T15:17:17.370

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-30459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:30:11Z

Weaknesses