CVE-2026-26273: The Over-Helpful Doorman: Full Account Takeover in 'Known' CMS

The Over-Helpful Doorman: Full Account Takeover in 'Known' CMS Vulnerability ID: CVE-2026-26273 CVSS Score: 9.8 Published: 2026-02-13 CVE-2026-26273 is a catastrophic logic flaw in the 'Known' social publishing platform that turns the password reset mechanism into an open buffet for attackers. By simply knowing a victim's email address, an unauthenticated attacker can trigger a password reset and then retrieve the secret recovery token directly from the application's HTML source code. This bypasses the email delivery requirement entirely, allowing for instant, silent, and full account takeover (ATO). Rated as Critical (CVSS 9.8), this vulnerability highlights the dangers of implicit trust in client-side requests and 'convenience' features that leak state. TL;DR A critical flaw in Known < 1.6.3 allows anyone to reset an admin password by simply inspecting the HTML source code. The application leaks the database-stored reset token into a hidden input field when visited with a target's em

CVE-2026-26273: The Over-Helpful Doorman: Full Account Takeover in 'Known' CMS

Related Articles

Smart Ward Assistant

I Built a SaaS App on a Broken Phone with Zero Budget - Here’s What Happened

The Developer Took Revenge on the Manager — But Not the Way You’d Expect

Your Reference Types Are Breaking Encapsulation — Here’s Why

Understanding the Go Runtime: The Bootstrap

Related Articles

News
Smart Ward Assistant
Medium Programming • 22m ago

News
I Built a SaaS App on a Broken Phone with Zero Budget - Here’s What Happened
Medium Programming • 32m ago

News
The Developer Took Revenge on the Manager — But Not the Way You’d Expect
Medium Programming • 1h ago

News
Your Reference Types Are Breaking Encapsulation — Here’s Why
Medium Programming • 1h ago

News
Understanding the Go Runtime: The Bootstrap
Lobsters • 1h ago