PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover
CVE-2026-47181

8.7HIGH

Key Information:

Vendor: Penguinmod
Status: Penguinmod-backendapi
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-47181?

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

Affected Version(s)

PenguinMod-BackendApi < 1.0.0

References

https://github.com/PenguinMod/PenguinMod-BackendApi/secur...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 18, 2026

CVE-2026-47181 Data

JSON

Penguinmod

What is CVE-2026-47181?

Affected Version(s)

References

CVSS V4

Timeline