CVE-2026-47181
PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.
| CWE | CWE-20 CWE-943 |
| Vendor | penguinmod |
| Product | penguinmod-backendapi |
| Published | Jun 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for penguinmod penguinmod-backendapi
Be the first to know when new unknown vulnerabilities affecting penguinmod penguinmod-backendapi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
PenguinMod / PenguinMod-BackendApi
< 1.0.0