216.73.217.172

CVE-2026-27812

· Published 26/02/2026 00:16 · Modified 27/02/2026 14:06

Labels: CVE-2026-27812 2026-02-26CVE-2026-27812CWE-116[email protected]

Essential information

Published
26/02/2026 00:16
Modified
27/02/2026 14:06
Author
Creator
CVSS
8.0 HIGH (v3) 8.0 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
sub2api / sub2api cpe:2.3:a:sub2api:sub2api:<0.1.85:*:*:*:*:*:*:*

References