A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "3.2.0"
},
{
"last_affected": "3.2.0"
},
{
"introduced": "3.2.1"
},
{
"last_affected": "3.2.1"
},
{
"introduced": "3.2.2"
},
{
"last_affected": "3.2.2"
},
{
"introduced": "3.2.3"
},
{
"last_affected": "3.2.3"
},
{
"introduced": "3.2.4"
},
{
"last_affected": "3.2.4"
},
{
"introduced": "3.2.6"
},
{
"last_affected": "3.2.6"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12066.json",
"cna_assigner": "VulDB",
"cwe_ids": [
"CWE-640"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "3.2.5"
},
{
"last_affected": "3.2.5"
},
{
"introduced": "3.2.7"
},
{
"last_affected": "3.2.7"
},
{
"introduced": "3.2.8"
},
{
"last_affected": "3.2.8"
},
{
"introduced": "3.2.9"
},
{
"last_affected": "3.2.9"
},
{
"introduced": "3.2.10"
},
{
"last_affected": "3.2.10"
},
{
"introduced": "3.2.11"
},
{
"last_affected": "3.2.11"
},
{
"introduced": "3.2.12"
},
{
"last_affected": "3.2.12"
}
]
}