CVE-2026-26273 affects the Known social publishing platform (product: known, vendor: idno) in versions prior to 1.6.3. The vulnerability arises from the exposure of password reset tokens within a hidden HTML input field on the password reset page. When a user initiates a password reset, the application embeds the reset token in the page's HTML source code, which is accessible to anyone who can submit the password reset form with a target user's email address. This design flaw violates secure authentication principles by leaking sensitive tokens to unauthenticated actors, enabling them to bypass the need for email inbox access. Exploiting this vulnerability allows an attacker to perform a full account takeover (ATO), compromising confidentiality, integrity, and availability of user accounts. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-640 (Weak Password Recovery Mechanism). The CVSS v3.0 base score of 9.8 reflects the ease of exploitation (network vector, no privileges or user interaction required) and the critical impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it highly exploitable. The issue was publicly disclosed on February 13, 2026, and fixed in Known version 1.6.3. Organizations running affected versions should prioritize patching and audit their password reset implementations to ensure tokens are never exposed in client-side code.

For European organizations using the Known platform, this vulnerability poses a severe risk of account compromise without requiring access to users' email accounts. Attackers can hijack user accounts, potentially leading to unauthorized content publication, data leakage, reputational damage, and further lateral attacks within the organization. Given Known's use in social publishing, compromised accounts could be leveraged to spread misinformation or malicious content. The critical nature of the vulnerability means that any organization relying on Known for internal or public-facing content management is at risk of significant operational disruption and data breaches. Additionally, GDPR implications arise from unauthorized access to personal data, potentially resulting in regulatory penalties and loss of customer trust. The ease of exploitation and lack of required authentication make this a high-priority threat for European entities using affected versions.

Immediate upgrade to Known version 1.6.3 or later is the primary mitigation step to remediate this vulnerability. Organizations should audit their password reset workflows to ensure that sensitive tokens are never exposed in client-side code or HTML. Implement server-side validation and token handling that restricts token visibility to authenticated sessions only. Employ rate limiting and CAPTCHA protections on password reset endpoints to prevent automated enumeration of user emails. Conduct thorough security testing on authentication and password recovery features to detect similar flaws. Additionally, monitor logs for suspicious password reset requests and consider notifying users of password reset activities. For organizations unable to upgrade immediately, temporarily disabling password reset functionality or restricting access to the reset page via IP whitelisting can reduce risk. Finally, educate users on recognizing phishing attempts and encourage strong, unique passwords to mitigate downstream risks from account compromise.