{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30459", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-16T15:16:57.348Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-16T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T14:11:46.515Z"}, "descriptions": [{"lang": "en", "value": "An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Login.php"}, {"url": "https://pentest-tools.com/PTT-2025-029-Password-Reset-Poisoning-via-Host-Header.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-640", "lang": "en", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T15:15:57.087445Z", "id": "CVE-2026-30459", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:16:57.348Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30459", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T15:15:57.087445Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-640", "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T15:14:19.283Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Login.php"}, {"url": "https://pentest-tools.com/PTT-2025-029-Password-Reset-Poisoning-via-Host-Header.pdf"}], "descriptions": [{"lang": "en", "value": "An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-16T14:11:46.515Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30459", "state": "PUBLISHED", "dateUpdated": "2026-04-16T15:16:57.348Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-16T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message."}], "id": "CVE-2026-30459", "lastModified": "2026-04-16T16:16:15.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T15:17:17.370", "references": [{"source": "cve@mitre.org", "url": "http://daylight.com"}, {"source": "cve@mitre.org", "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Login.php"}, {"source": "cve@mitre.org", "url": "https://pentest-tools.com/PTT-2025-029-Password-Reset-Poisoning-via-Host-Header.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-640"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-04-17T06:25:09.947388+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest available FuelCMS release that addresses the password\u2011reset\u2011token exposure flaw.", "If an immediate upgrade is unavailable, disable the password\u2011reset functionality for unauthenticated users until a patch is applied.", "Implement email\u2011authentication mechanisms (SPF, DKIM, DMARC) to reduce the risk of forged messages containing malicious reset links."], "summary": {"action": "Patch urgently", "impact": "Account takeover through exposed password reset tokens"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Daylight Studio FuelCMS version 1.5.2. No other vendors or product versions were identified as impacted.", "description_and_impact": "An unauthorized attacker can obtain a valid password reset token for a user by placing a crafted link in an email that the victim receives. This flaw, classified as CWE\u2011640, is a user authentication weakness that allows the attacker to retrieve the token and subsequently reset the victim\u2019s account password. The exposure enables a full compromise of user credentials, leading to loss of confidentiality, integrity, and availability of the victim\u2019s account and any data protected by it.", "risk_and_exploitability": "The flaw can be exploited by any actor who can send a crafted link to a target\u2019s inbox. The attacker does not need elevated privileges or special system access\u2014simply delivering an email containing the forged link is sufficient. Because the reset token is exposed to the external author of the email, the attack can be performed in a low\u2011complexity manner. The vulnerability has a CVSS score of 7.1, an EPSS score is not available; it is not listed in the CISA KEV catalog. The attack vector is inferred to be email\u2011based, leveraging a lack of verification that the reset token originates from the legitimate user\u2019s mailbox."}}}}, "created": "2026-04-16T18:58:52.234406+00:00", "title": "Unauthenticated Retrieval of Password Reset Tokens via Forged Email Links in FuelCMS", "updated": "2026-04-17T06:30:11.607308+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"]}