{"id":"CVE-2026-12066","summary":"PbootCMS Password MemberController.php retrieve password recovery","details":"A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.","modified":"2026-07-08T07:15:45.853526557Z","published":"2026-06-12T13:00:07.936Z","database_specific":{"cwe_ids":["CWE-640"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12066.json","unresolved_ranges":[{"extracted_events":[{"introduced":"3.2.0"},{"last_affected":"3.2.0"},{"introduced":"3.2.1"},{"last_affected":"3.2.1"},{"introduced":"3.2.2"},{"last_affected":"3.2.2"},{"introduced":"3.2.3"},{"last_affected":"3.2.3"},{"introduced":"3.2.4"},{"last_affected":"3.2.4"},{"introduced":"3.2.6"},{"last_affected":"3.2.6"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"VulDB"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12066.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-12066"},{"type":"ADVISORY","url":"https://vuldb.com/cve/CVE-2026-12066"},{"type":"ADVISORY","url":"https://vuldb.com/submit/828374"},{"type":"ADVISORY","url":"https://vuldb.com/vuln/370561"},{"type":"REPORT","url":"https://github.com/pbootcmspro/PbootCMS/issues/38"},{"type":"REPORT","url":"https://vuldb.com/vuln/370561/cti"},{"type":"EVIDENCE","url":"https://github.com/yunyan05/MYCVE/tree/main/PbootCMS/V3.2.12-Account-Takeover"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pbootcmspro/pbootcms","events":[{"introduced":"e126559ee341d4581ab458d1aad514048d3c5dbf"},{"last_affected":"ac82785922b622fe3d9b152da1fd069748fa15f1"}],"database_specific":{"extracted_events":[{"introduced":"3.2.5"},{"last_affected":"3.2.5"},{"introduced":"3.2.7"},{"last_affected":"3.2.7"},{"introduced":"3.2.8"},{"last_affected":"3.2.8"},{"introduced":"3.2.9"},{"last_affected":"3.2.9"},{"introduced":"3.2.10"},{"last_affected":"3.2.10"},{"introduced":"3.2.11"},{"last_affected":"3.2.11"},{"introduced":"3.2.12"},{"last_affected":"3.2.12"}],"source":"AFFECTED_FIELD"}}],"versions":["3.2.10","3.2.11","3.2.12","3.2.5","3.2.7","3.2.8","3.2.9","V3.2.12","V3.2.11","V3.2.10","V3.2.9","V3.2.8","V3.2.7","V3.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12066.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}]}