Primary

Context

Sub2API Password Reset Poisoning Vulnerability Leading to Account Takeover

Vulnerability

A password reset poisoning vulnerability has been identified in Sub2API versions prior to 0.1.85. This issue arises from a trust problem with the Host Header and Forwarded Header, allowing attackers to manipulate the password reset link by injecting their own domain. Exploitation of this vulnerability could lead to account takeover.

Impact

Exploitation allows for password reset link manipulation, potentially leading to unauthorized account access.

Remediation

Users are advised to upgrade to Sub2API version 0.1.85 or later. If an immediate upgrade is not possible, the 'forgot password' feature can be disabled temporarily to prevent exploitation until the upgrade is completed.

Added: Feb 26, 2026, 7:53 AM

Updated: Feb 26, 2026, 7:53 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.6

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sub2API Password Reset Poisoning Vulnerability Leading to Account Takeover

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating