CVE 8.7 HIGH

PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover_CVE-2026-47181

June 11, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

AI Analysis

NoSQL injection vulnerability in password reset endpoint allows account takeover

Basic Information

ID CVE-2026-47181

Source GitHub_M

Published Jun 11, 2026 at 18:49

Affected Product

Vendor PenguinMod

Product PenguinMod-BackendApi

Version < 1.0.0

Affected Versions PenguinMod PenguinMod-BackendApi < 1.0.0

CWE Classification

CWE-20 CWE-943

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor PenguinMod

Product PenguinMod-BackendApi

Version < 1.0.0

References

github.com /PenguinMod/PenguinMod-BackendApi/security/advisories/GHSA-wwwc-jwrc-3pj8

{
    "lastseen": "",
    "description": "PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.",
    "published": "2026-06-11T18:49:14.691Z",
    "modified": "2026-06-11T18:49:14.691Z",
    "type": "cve",
    "title": "PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover",
    "source": "GitHub_M",
    "references": "https://github.com/PenguinMod/PenguinMod-BackendApi/security/advisories/GHSA-wwwc-jwrc-3pj8",
    "id": "CVE-2026-47181",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-943"
    ],
    "cvelist": null,
    "sourceData": "PenguinMod PenguinMod-BackendApi < 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PenguinMod-BackendApi",
    "version": "< 1.0.0",
    "vendor": "PenguinMod",
    "ai_description": "NoSQL injection vulnerability in password reset endpoint allows account takeover",
    "ai_severity": "High",
    "ai_vendor": "PenguinMod",
    "ai_product": "PenguinMod-BackendApi",
    "ai_version": "< 1.0.0",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply