CWE-640

High likelihood

Weak Password Recovery Mechanism for Forgotten Password

Parent: CWE-1390 - Weak Authentication

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

272 vulnerabilities with CWE-640
CVE-2026-28213 CRITICAL
evershop < 2.1.1 - Unauthenticated Account Takeover via Forgot Password Token Exposure
CVSS 9.8
CVE-2026-27593 CRITICAL
Statmatic <6.3.3/5.73.10 - Auth Bypass
CVSS 9.3
CVE-2026-2895 LOW
funadmin <=7.1.0-rc4 - Weak Password Recovery
CVSS 3.7
CVE-2026-2564 HIGH
Intelbras VIP 3260 Z IA 2.840.00IB005.0.T - Auth Bypass
CVSS 8.1
CVE-2026-2543 LOW
vichan-devel vichan <5.1.5 - Auth Bypass
CVSS 2.7
CVE-2026-26273 CRITICAL
Known < 1.6.3 - Unauthenticated Account Takeover via Password Reset Token Leak
CVSS 9.8
CVE-2026-25858 CRITICAL
macrozheng mall <1.0.3 - Auth Bypass
CVSS 9.1
CVE-2026-1325 MEDIUM
Sangfor O&M Security Management System <= 3.0.12 - Weak Password Recovery via Flag Manipulation
CVSS 5.3
CVE-2025-36579 MEDIUM
Dell Pro 14 Essential PV14250 <1.4.0 - Weak Password Recovery
CVSS 5.1
CVE-2025-69614 CRITICAL
Deutsche Telekom AG Portal - Auth Bypass
CVSS 9.4
CVE-2025-4320 CRITICAL
Birebirsoft Sufirmam <23012026 - Auth Bypass
CVSS 10.0
CVE-2025-4319 CRITICAL
Birebirsoft Sufirmam <23012026 - Auth Bypass
CVSS 9.4
CVE-2025-63314 CRITICAL
DDSN Interactive Acora CMS <10.7.1 - Code Injection
CVSS 10.0
CVE-2025-15398 LOW
Uasoft badaso < 2.9.7 - Weak Password Recovery Mechanism in Token Handler
CVSS 3.7
CVE-2025-14783 MEDIUM
Easy Digital Downloads <3.6.2 - Open Redirect
CVSS 4.3
CVE-2025-65203 HIGH
KeePassXC-Browser <1.9.9.2 - Info Disclosure
CVSS 7.1
CVE-2025-14696 MEDIUM
Shenzhen Sixun Software Sixun Shanghui Group Business Management Sy...
CVSS 5.3
CVE-2025-64113 CRITICAL
Emby Server < 4.9.1.81 - Unauthenticated Weak Password Recovery Mechanism
CVSS 9.8
CVE-2025-53704 HIGH
Pivot Client - Privilege Escalation
CVSS 7.5
CVE-2025-66225 HIGH
OrangeHRM 5.0-5.7 - Unauthenticated Account Takeover via Password Reset Username Manipulation
CVSS 8.8
CVE-2025-50433 CRITICAL
imonnit - Account Takeover via Weak Password Recovery Mechanism
CVSS 9.8
CVE-2025-13565 MEDIUM
SourceCodester Inventory Management System 1.0 - Weak Password Recovery Mechanism in resetPassword.php
CVSS 5.3
CVE-2025-62709 MEDIUM
ClipBucket 5.3-5.5.2-163 - Password Reset Token Hijacking via Host Header Injection
CVSS 6.8
CVE-2025-62406 HIGH
Piwigo 15.6.0 - Unauthenticated Password Reset URL Manipulation via Host Header
CVSS 8.1
CVE-2025-8855 HIGH
Optimus Software Brokerage Automation <1.1.71 - Auth Bypass
CVSS 8.1
Details
Vulnerabilities 272
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits