CWE-640
Weak Password Recovery Mechanism for Forgotten Password
BaseIncompleteLikelihood: High
Description
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-50
CVEs mapped to this weakness (50)
page 1 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-4320 | Cri | 0.65 | 10.0 | 0.00 | Jan 23, 2026 | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation.This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-12866 | Cri | 0.64 | 9.8 | 0.00 | Nov 10, 2025 | EIP Plus developed by Hundred Plus has a Weak Password Recovery Mechanism vulnerability, allowing unauthenticated remote attacker to predict or brute-force the 'forgot password' link, thereby successfully resetting any user's password. | |
| CVE-2025-10127 | Cri | 0.64 | 9.8 | 0.00 | Sep 11, 2025 | Daikin Europe N.V Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials. | |
| CVE-2025-32486 | Cri | 0.64 | 9.8 | 0.00 | Sep 9, 2025 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6. | |
| CVE-2025-50594 | Cri | 0.64 | 9.8 | 0.00 | Aug 13, 2025 | An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password. | |
| CVE-2025-43932 | Cri | 0.64 | 9.8 | 0.00 | Jul 7, 2025 | JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | |
| CVE-2025-43931 | Cri | 0.64 | 9.8 | 0.00 | Jul 7, 2025 | flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | |
| CVE-2025-47646 | Cri | 0.64 | 9.8 | 0.09 | May 23, 2025 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Registration: from n/a through <= 1.13. | |
| CVE-2025-31380 | Cri | 0.64 | 9.8 | 0.00 | Apr 17, 2025 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.11. | |
| CVE-2024-5404 | Cri | 0.64 | 9.8 | 0.01 | Jun 3, 2024 | An unauthenticated remote attacker can change the admin password in a moneo appliance due to weak password recovery mechanism. | |
| CVE-2025-4319 | Cri | 0.61 | 9.4 | 0.00 | Jan 23, 2026 | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation.This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2026-34751 | Cri | 0.59 | 9.1 | 0.00 | Apr 1, 2026 | Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload. | |
| CVE-2026-25858 | Cri | 0.59 | 9.1 | 0.00 | Feb 7, 2026 | macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. | |
| CVE-2025-50503 | Hig | 0.57 | 8.8 | 0.00 | Aug 20, 2025 | A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data. | |
| CVE-2024-12295 | Hig | 0.57 | 8.8 | 0.00 | Mar 19, 2025 | The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2024-45980 | Hig | 0.57 | 8.8 | 0.00 | Sep 26, 2024 | A host header injection vulnerability in MEANStore 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This allows attackers to arbitrarily reset other users' passwords and compromise their accounts. | |
| CVE-2024-27899 | Hig | 0.57 | 8.8 | 0.00 | Apr 9, 2024 | Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability. | |
| CVE-2026-33707 | Cri | 0.54 | 9.4 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | |
| CVE-2025-29995 | Hig | 0.54 | — | 0.01 | Mar 13, 2025 | This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An authenticated remote attacker with a valid login ID could exploit this vulnerability through vulnerable API endpoint which could lead to account takeover of targeted users. | |
| CVE-2026-29199 | Hig | 0.53 | 8.1 | 0.00 | May 4, 2026 | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover. |