CVE-2026-47181: CWE-20: Improper Input Validation in PenguinMod PenguinMod-BackendApi
CVE-2026-47181 is a high-severity NoSQL injection vulnerability in the PenguinMod-BackendApi prior to version 1.0.0. It affects the password reset endpoint, allowing any authenticated user with a valid password reset token for their own account to change the password of any account, resulting in full account takeover. This vulnerability has been fixed in version 1.0.0.
AI Analysis
Technical Summary
PenguinMod-BackendApi versions before 1.0.0 contain an improper input validation vulnerability (CWE-20) leading to NoSQL injection in the password reset endpoint. An authenticated attacker possessing a valid password reset token for their own account can exploit this flaw to change the password of any other account, enabling full account takeover. The issue is addressed by patching in version 1.0.0.
Potential Impact
Exploitation of this vulnerability allows an authenticated user to escalate privileges by changing passwords of arbitrary accounts, resulting in full account takeover. This compromises account confidentiality and integrity, potentially leading to unauthorized access and control over user accounts.
Mitigation Recommendations
Upgrade PenguinMod-BackendApi to version 1.0.0 or later, where this vulnerability has been patched. No other mitigation steps are indicated by the vendor advisory.
CVE-2026-47181: CWE-20: Improper Input Validation in PenguinMod PenguinMod-BackendApi
Description
CVE-2026-47181 is a high-severity NoSQL injection vulnerability in the PenguinMod-BackendApi prior to version 1.0.0. It affects the password reset endpoint, allowing any authenticated user with a valid password reset token for their own account to change the password of any account, resulting in full account takeover. This vulnerability has been fixed in version 1.0.0.
CVSS v4.0
Score 8.7high
Affected software
pkg:github/penguinmod/PenguinMod-BackendApiRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PenguinMod-BackendApi versions before 1.0.0 contain an improper input validation vulnerability (CWE-20) leading to NoSQL injection in the password reset endpoint. An authenticated attacker possessing a valid password reset token for their own account can exploit this flaw to change the password of any other account, enabling full account takeover. The issue is addressed by patching in version 1.0.0.
Potential Impact
Exploitation of this vulnerability allows an authenticated user to escalate privileges by changing passwords of arbitrary accounts, resulting in full account takeover. This compromises account confidentiality and integrity, potentially leading to unauthorized access and control over user accounts.
Mitigation Recommendations
Upgrade PenguinMod-BackendApi to version 1.0.0 or later, where this vulnerability has been patched. No other mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T22:07:37.434Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2b05d1815e7002b81ea67d
Added to database: 6/11/2026, 7:00:33 PM
Last enriched: 6/11/2026, 7:15:07 PM
Last updated: 6/12/2026, 3:00:46 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.