Home / Vulnerability Intelligence / CVE-2026-26273

CVE-2026-26273 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 13, 2026

Known - Authentication Bypass

Published: February 13, 2026Updated: February 13, 2026Remote Exploitable

Overview

Known <= 1.6.2 contains a broken authentication vulnerability caused by leaking password reset tokens in hidden HTML input fields, letting unauthenticated attackers perform full account takeover by querying user emails.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 8.4%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can take over any user account without email access, leading to full account compromise.

Mitigation

Update to version 1.6.3 or later.

References

Social Media Activity(2 posts)

Offensive Sequence

@offseq

Feb 14, 2026

🔴 CRITICAL: CVE-2026-26273 in Known <1.6.3 leaks password reset tokens in HTML — full account takeover possible without email access. Upgrade to 1.6.3+ & audit reset flows. https://radar.offseq.com/threat/cve-2026-26273-cwe-200-exposure-of-sensitive-infor-d59f1dbb #OffSeq #CVE202626273 #Vuln #Security

View original post

TheHackerWire

@thehackerwire

Feb 13, 2026

🔴 CVE-2026-26273 - Critical (9.8) Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. Th... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26273/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26273
Severity: Critical
CVSS Score: 9.8
Type: broken_authentication
Status: new
EPSS: 8.4%
Social Posts: 2

CWE

CWE-200

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

8.4%Probability of exploitation in the next 30 days