What is CVE-2026-50635?

CVE-2026-50635 is a high-severity vulnerability, classified under Weak Password Recovery Mechanism for Forgotten Password. CVSS score: 8.8/10. Published 2026-06-09.

How severe is CVE-2026-50635?

High severity. CVSS v3 base score is 8.8 out of 10.

CVE-2026-50635

CVE-2026-50635

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, s…

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Weakness classification (CWE)

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password

References

disclosure@vulncheck.com
disclosure@vulncheck.com
disclosure@vulncheck.com

Frequently asked questions

What is CVE-2026-50635?: CVE-2026-50635 is a high-severity vulnerability, classified under Weak Password Recovery Mechanism for Forgotten Password. CVSS score: 8.8/10. Published 2026-06-09.
How severe is CVE-2026-50635?: High severity. CVSS v3 base score is 8.8 out of 10.