CVE-2026-12066
Deferred Deferred - Pending Action
Weak Password Recovery in PbootCMS

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: VulDB

Description
A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-12066
EUVD
EUVD-2026-36423
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pbootcms pbootcms to 3.2.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12066 is a critical security vulnerability in PbootCMS version 3.2.12 that affects the password recovery process. The flaw exists in the MemberController.php file, specifically in the password reset function, where an attacker can manipulate the username, password, email, and checkcode parameters to reset a victim's password without proper authentication.

The vulnerability arises because the system accepts a new password via an unauthenticated POST request and only validates it against an image CAPTCHA stored in the session, without verifying ownership of the registered email address. Several key flaws exacerbate this issue: bypassing email verification if the email field is empty, insufficient email ownership checks, no use of one-time reset tokens or verification emails, CAPTCHA validation weaknesses, and shared CAPTCHA session keys.

An attacker only needs the victim's username and a fresh CAPTCHA code (which can be obtained by visiting the CAPTCHA endpoint) to submit a request that overwrites the victim's password, enabling full account takeover.

Impact Analysis

This vulnerability can lead to a complete account takeover by an attacker without needing authentication. Once the attacker resets the password, they gain full control over the victim's account.

The impact includes exposure of sensitive member data such as orders, addresses, private messages, and potentially other personal information stored within the compromised account.

This can affect various types of PbootCMS deployments, including e-commerce platforms, community sites, and content management systems, potentially leading to significant data breaches and loss of user trust.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized password reset attempts that exploit the weak password recovery process in PbootCMS version 3.2.12. Specifically, detection involves identifying POST requests to the password reset endpoint that include parameters such as username, new password, and CAPTCHA code without proper email verification.

One way to detect exploitation attempts is to analyze web server logs for suspicious POST requests targeting the password reset functionality, especially those that do not follow normal password reset flows (e.g., missing email verification tokens).

Suggested commands to detect such activity might include:

  • Using grep or similar tools to search web server logs for POST requests to the password reset endpoint, for example: `grep 'POST /path_to_password_reset' /var/log/nginx/access.log`
  • Searching for POST requests containing parameters like username, password, and checkcode (CAPTCHA) in logs: `grep -E 'username=.*&password=.*&checkcode=.*' /var/log/nginx/access.log`
  • Monitoring for unusual spikes in password reset requests or CAPTCHA requests that could indicate automated exploitation attempts.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable password reset functionality and implementing additional verification controls.

Specifically, you should:

  • Disable or restrict the password reset feature temporarily to prevent exploitation.
  • Implement rate limiting and audit logging on password reset endpoints to detect and block mass takeover attempts.
  • Ensure that password reset requests require a time-bound, one-time reset token sent to the registered email address, rather than relying solely on CAPTCHA validation.
  • Separate CAPTCHA session namespaces to prevent reuse of CAPTCHA codes between image and email verification endpoints.
  • Avoid disclosing account existence information during the password reset process.

Applying patches or upgrading to a fixed version of PbootCMS when available is also recommended.

Compliance Impact

The vulnerability allows an attacker to take over user accounts by exploiting weak password recovery mechanisms, leading to unauthorized access to sensitive member data such as orders, addresses, and private messages.

Such unauthorized access and potential data compromise can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Failure to protect user accounts and personal data as a result of this vulnerability could lead to violations of these standards, resulting in legal and financial consequences for affected organizations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart