CVE-2023-26984

HIGH

Peppermint <0.2.4 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-26984. PoCs published by bypazs.

AI-analyzed exploit summary The repository provides a detailed technical explanation of CVE-2023-26984, an authentication bypass vulnerability in Peppermint v0.2.4. It describes how an attacker can exploit the password reset function to escalate privileges by intercepting and modifying API requests.

Description

An issue in the password reset function of Peppermint v0.2.4 allows attackers to access the emails and passwords of the Tickets page via a crafted request.

Exploits (1)

nomisec WRITEUP

by bypazs · poc

https://github.com/bypazs/CVE-2023-26984

View Code ZIP pw:eip

The repository provides a detailed technical explanation of CVE-2023-26984, an authentication bypass vulnerability in Peppermint v0.2.4. It describes how an attacker can exploit the password reset function to escalate privileges by intercepting and modifying API requests.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Peppermint v0.2.4

Auth required

Prerequisites: Low-privileged user account · Ability to intercept and modify HTTP requests

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://github.com/Peppermint-Lab/peppermint/tree/master

Exploit, Third Party Advisory

https://github.com/bypazs/CVE-2023-26984

Product

https://peppermint.sh/

Scores

CVSS v3 8.1

EPSS 0.0092

EPSS Percentile 55.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-639

Status published

Products (1)

peppermint/peppermint 0.2.4

Published Mar 29, 2023

Tracked Since Feb 18, 2026