CVE-2026-30459 | THREATINT

Description

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.

PUBLISHED Reserved 2026-03-04 | Published 2026-04-16 | Updated 2026-04-16 | Assigner mitre

References

daylight.com

fuelcms.com

github.com/...master/fuel/modules/fuel/controllers/Login.php

pentest-tools.com/...ord-Reset-Poisoning-via-Host-Header.pdf

cve.org (CVE-2026-30459)

nvd.nist.gov (CVE-2026-30459)

Download JSON