Description
A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the FoxCMS administration module permits manipulation of the Edit function in Admin.php, resulting in weak password recovery capabilities. This weakness, classified as CWE-640, allows an attacker to easily reset or recover administrator passwords, thereby bypassing authentication controls. The impact is that unauthorized individuals could gain privileged access to the CMS, compromising the system’s confidentiality and integrity.

Affected Systems

The vulnerability affects QianFox’s FoxCMS platform up to version 1.2.6. Deployments running any of these releases are susceptible; later releases (if available) are not covered by the advisory.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity risk. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the description notes that the exploit is publicly available and could be employed remotely. Attackers can trigger the weakness simply by sending manipulated requests to the Admin.php edit password recovery endpoint, potentially without prior authentication. Overall, the risk remains moderate but could be elevated if no mitigation is applied.

Generated by OpenCVE AI on May 27, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FoxCMS to a version newer than 1.2.6 when it becomes available
  • Restrict access to the Admin.php password recovery endpoint by network filtering or IP whitelisting
  • Enforce strong, multifactor‑enabled passwords for all administrator accounts and ensure that password recovery requires additional verification steps such as email or SMS tokens

Generated by OpenCVE AI on May 27, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Title QianFox FoxCMS Admin.php edit password recovery
First Time appeared Qianfox
Qianfox foxcms
Weaknesses CWE-640
CPEs cpe:2.3:a:qianfox:foxcms:*:*:*:*:*:*:*:*
Vendors & Products Qianfox
Qianfox foxcms
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Qianfox Foxcms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-27T12:52:31.638Z

Reserved: 2026-05-26T16:23:31.182Z

Link: CVE-2026-9609

cve-icon Vulnrichment

Updated: 2026-05-27T12:52:22.749Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T02:16:35.413

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-9609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T02:30:05Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password