DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26273: The Over-Helpful Doorman: Full Account Takeover in 'Known' CMS

#security #cve #cybersecurity

The Over-Helpful Doorman: Full Account Takeover in 'Known' CMS

Vulnerability ID: CVE-2026-26273
CVSS Score: 9.8
Published: 2026-02-13

CVE-2026-26273 is a catastrophic logic flaw in the 'Known' social publishing platform that turns the password reset mechanism into an open buffet for attackers. By simply knowing a victim's email address, an unauthenticated attacker can trigger a password reset and then retrieve the secret recovery token directly from the application's HTML source code. This bypasses the email delivery requirement entirely, allowing for instant, silent, and full account takeover (ATO). Rated as Critical (CVSS 9.8), this vulnerability highlights the dangers of implicit trust in client-side requests and 'convenience' features that leak state.

TL;DR

A critical flaw in Known < 1.6.3 allows anyone to reset an admin password by simply inspecting the HTML source code. The application leaks the database-stored reset token into a hidden input field when visited with a target's email address.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200 (Info Exposure)
  • CVSS v3.0: 9.8 (Critical)
  • Attack Vector: Network (Web)
  • Privileges: None
  • Impact: Full Account Takeover
  • Patch Commit: 8439a0747471559fb1ea9f074b929d390f27e66a

Affected Systems

  • Known Social Publishing Platform < 1.6.3
  • Known: < 1.6.3 (Fixed in: 1.6.3)

Code Analysis

Commit: 8439a07

Fixed password reset token leakage and user enumeration

diff --git a/Idno/Pages/Account/Password/Reset.php b/Idno/Pages/Account/Password/Reset.php
... - $t->__(['code' => $code])->draw('account/password/reset');
... + if (!empty($code) && hash_equals($code, $user->getPasswordRecoveryCode())) ...
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Manual exploitation via HTML source inspection.

Mitigation Strategies

  • Update to Known version 1.6.3 immediately.
  • Restrict access to the /account/ path via WAF until patched.
  • Audit logs for suspicious password reset activity followed by immediate logins from new IPs.

Remediation Steps:

  1. Navigate to your Known installation directory.
  2. Run git pull to fetch the latest tags.
  3. Checkout the release: git checkout 1.6.3.
  4. Alternatively, download the release zip from GitHub and overwrite the Idno directory.
  5. Verify the patch by checking Idno/Pages/Account/Password/Reset.php for the hash_equals check.

References

Read the full report for CVE-2026-26273 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)