Statping-ng Password Reset Vulnerability in Users API Endpoint

Vulnerability

A vulnerability in Statping-ng version 0.91.0 allows remote attackers to perform account takeover by resetting the passwords of administrators. This is achieved by sending a crafted POST request to the '/api/users' endpoint, using a non-privileged API token.

Impact

Exploitation of this vulnerability grants the attacker full administrative control over the Statping-ng application.

Added: Feb 11, 2026, 8:20 PM

Updated: Feb 11, 2026, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Statping-ng Password Reset Vulnerability in Users API Endpoint

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating