CVE-2026-12066 | A security flaw has been discovered in PbootCMS up to 3.2.12… | CVSS 7.3 HIGH

Description

A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Metadata

CVE ID: CVE-2026-12066
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-12 07:40 UTC
Published: 2026-06-12 13:00 UTC
Last updated: 2026-06-12 13:34 UTC
Primary CWE: CWE-640
Weak Password Recovery
Vendor / Product: n/a / PbootCMS
Sources: cve.org · NVD

Severity & Metrics

7.3 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
n/a	PbootCMS	—	3.2.0, 3.2.1, 3.2.2, 3.2.3 …

Weakness (CWE)

CWE	Source	Description
CWE-640	cna	Weak Password Recovery

CVSS scores (4)

Score	Severity	Version	Source	Vector
7.5	N/D	2.0	cna	AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
7.3	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
7.3	HIGH	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (6)

VDB-370561 | PbootCMS Password MemberController.php retrieve password recovery https://vuldb.com/vuln/370561
VDB-370561 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/370561/cti
CVE-2026-12066 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-12066
Submit #828374 | PbootCMS 3.2.12 Improper Authentication https://vuldb.com/submit/828374
https://github.com/pbootcmspro/PbootCMS/issues/38
https://github.com/yunyan05/MYCVE/tree/main/PbootCMS/V3.2.12-Account-Takeover