CWE-640

Weak Password Recovery

No catalog description on file. The MITRE CWE site has the canonical reference.

CVEs (total)

4

Critical

1

High

3

Medium

0

Low

0

Severity distribution

Recent CVEs

showing 4 of 4

CVE-2026-45013High· 8.1EPSS 0%8 h ago
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTT
npm
CVE-2026-12066High· 7.320 h ago
A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument usernam
CVE-2026-50635High· 8.8EPSS 0%3 d ago
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so
CVE-2018-16988Critical· 9.8EPSS 0%4 d ago
An issue was discovered in Open XDMoD through 7.5.0. An authentication bypass (account takeover) exists due to a weak password reset mechanism. A brute-force attack against an MD5 rid value requires only 600 guesses in the plausible situati

CWE catalog data sourced from MITRE. CVE associations come from NVD weakness mappings; some CVEs carry multiple CWEs.