CVE-2026-26273

CVE-2026-26273

Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.

Published Feb 16, 2026

https://github.com/advisories/GHSA-78wq-6gcv-w28r

CVSS ScoreCritical

9.8

Vulnerabilities

CVE-2026-26273

Published Feb 16, 2026

https://github.com/advisories/GHSA-78wq-6gcv-w28r

CVSS ScoreCritical

9.8

CVE-2026-26273 Security Details

CVE ID: CVE-2026-26273
CWE: CWE-200
CWE-640
NVD-CWE-noinfo
CVE Description: Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Published: Feb 16, 2026
CVSS Score & Severity: 9.8Critical
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.311%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/advisories/GHSA-78wq-6gcv-w28rTHIRD_PARTY

CVE-2026-26273 Security Details

CVE ID: CVE-2026-26273
CWE: CWE-200
CWE-640
NVD-CWE-noinfo
CVE Description: Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
Published: Feb 16, 2026
CVSS Score & Severity: 9.8Critical
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score: 0.311%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/advisories/GHSA-78wq-6gcv-w28rTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2026-26273

CVE-2026-26273 Security Details

CVE-2026-26273 Security Details