CVE-2026-13020
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and K
CVSS
8.1
High
EPSS
0.2%
p14
KEV
—
Exploit Today
4
0-100
Published: Jul 7, 2026 · Last modified: Jul 9, 2026 · CWE-640
0.2%EPSS · 30 days0.2%
2026-07-082026-07-18
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-258589.1 CRI45.5%
——14macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.4dCVE-2022-345305.3 MED41.1%
——12An issue in the login and reset password functionality of Backdrop CMS v1.22.0 allows attackers to enumerate usernames via password reset requests and distinct responses returned based on usernames.10dCVE-2026-371069.8 CRI40.1%
——12An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is configured for self-registration (a non-default feature). The supplier also notes that there is no configuration migration scenario that would result in the self-registration being enabled without the administrators knowledge.3dCVE-2026-130199.8 CRI33.2%
——10Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.9dCVE-2025-504339.8 CRI30.5%
——9An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.13dCVE-2026-151558.8 HIG28.9%
——9The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers — the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.3d