Description
PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.
Published: 2026-06-11
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a NoSQL injection flaw in the password reset endpoint of PenguinMod-BackendApi. It allows an authenticated user to supply crafted input that alters the database query, enabling the user to change the password of any account. This flaw is based on improper input validation and insecure handling of reset tokens, and leads to a complete compromise of user accounts.

Affected Systems

PenguinMod users running PenguinMod-BackendApi versions earlier than 1.0.0 are affected. The vulnerability has been addressed in version 1.0.0 and later.

Risk and Exploitability

With a CVSS score of 8.7 the vulnerability is high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog, but the flaw can be exploited by anyone who has a registered account and a valid password‑reset token, which is generally easy to acquire. An attacker can thus effect a full account takeover remotely through the API, compromising confidentiality and integrity of user data.

Generated by OpenCVE AI on June 11, 2026 at 22:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest release of PenguinMod-BackendApi (v1.0.0 or newer) that contains the NoSQL injection fix.
  • Ensure that the password reset API now validates input and uses safe query mechanisms; audit the code to confirm that reset tokens are properly authenticated.
  • Until the update is installed, consider temporarily disabling the password reset functionality or restricting its use to trusted accounts.

Generated by OpenCVE AI on June 11, 2026 at 22:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.
Title PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover
Weaknesses CWE-20
CWE-943
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:49:14.691Z

Reserved: 2026-05-18T22:07:37.434Z

Link: CVE-2026-47181

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:46.280

Modified: 2026-06-11T20:58:18.123

Link: CVE-2026-47181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic