CVE-2026-2543
Unknown Unknown - Not Provided
Unverified Password Change Vulnerability in vichan Password Handler

Publication date: 2026-02-16

Last updated on: 2026-02-16

Assigner: VulDB

Description
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-02-16
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2543
EUVD
EUVD-2026-6121
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vichan-devel vichan to 5.1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2543 is an authentication bypass vulnerability in vichan-devel vichan up to version 5.1.5, specifically in the Password Change Handler component located in the file inc/mod/pages.php.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the application allows an authenticated moderator to change their password without verifying the current password. This happens due to reliance on an active session and permission checks without requiring re-authentication or password verification, classified as CWE-620 (Unverified Password Change).'}, {'type': 'paragraph', 'content': "An attacker who gains access to a valid moderator sessionβ€”via methods such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), session fixation, or stolen cookiesβ€”can exploit this flaw to change the moderator's password remotely and take over the account."}] [2, 3]

Impact Analysis

This vulnerability impacts the integrity of user accounts by allowing an attacker with access to a valid moderator session to change the password without verification.

Successful exploitation can lead to permanent takeover of moderator accounts, enabling attackers to gain unauthorized control over administrative functions.

The attack can be initiated remotely and is considered easy to exploit once a valid session is obtained, increasing the risk of account compromise.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if the affected vichan-devel vichan version up to 5.1.5 is in use, specifically by checking for the presence of the vulnerable file inc/mod/pages.php.'}, {'type': 'paragraph', 'content': 'Attackers may use Google dorking techniques such as searching for "inurl:inc/mod/pages.php" to identify vulnerable targets.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves manipulation of the password change argument without verification, monitoring HTTP requests to the password change handler for suspicious or unauthorized password change attempts could help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'No specific detection commands are provided in the available resources.'}] [2]

Mitigation Strategies

There are no known countermeasures or mitigations available for this vulnerability.

It is suggested to replace the affected component with an alternative product to avoid the vulnerability.

Since the vulnerability requires an authenticated session, protecting moderator sessions from compromise (e.g., preventing XSS, CSRF, session fixation, and cookie theft) can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart