Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Feiyuchuixue sz-boot-parent: Unauthorized password resets via remote attack
CVE-2026-3186
Summary
A security weakness in Feiyuchuixue sz-boot-parent allows attackers to reset passwords remotely without permission. This could compromise user accounts. To fix this, update sz-boot-parent to version 1.3.3-beta or later, which includes added security checks to prevent unauthorized resets.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| szadmin | sz-boot-parent | <= 0.9.0 | – |
| szadmin | sz-boot-parent | 1.0.0 | – |
| szadmin | sz-boot-parent | 1.0.1 | – |
| szadmin | sz-boot-parent | 1.0.2 | – |
| szadmin | sz-boot-parent | 1.1.0 | – |
| szadmin | sz-boot-parent | 1.2.0 | – |
| szadmin | sz-boot-parent | 1.2.1 | – |
| szadmin | sz-boot-parent | 1.2.2 | – |
| szadmin | sz-boot-parent | 1.2.3 | – |
| szadmin | sz-boot-parent | 1.2.4 | – |
| szadmin | sz-boot-parent | 1.2.5 | – |
| szadmin | sz-boot-parent | 1.2.6 | – |
| szadmin | sz-boot-parent | 1.3.0 | – |
| szadmin | sz-boot-parent | 1.3.1 | – |
| szadmin | sz-boot-parent | 1.3.2 | – |
Original title
A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the com...
Original description
A vulnerability was determined in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected by this vulnerability is an unknown functionality of the file /api/admin/sys-user/reset/password/ of the component Password Reset Handler. This manipulation of the argument userId causes use of default password. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.3.3-beta addresses this issue. Patch name: aefaabfd7527188bfba3c8c9eee17c316d094802. It is suggested to upgrade the affected component. The project was informed beforehand and acted very professional: "We have added authorization validation to the password reset interface; now only users with the corresponding permissions are allowed to perform password resets."
nvd CVSS2.0
6.5
nvd CVSS3.1
4.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-1393
- https://github.com/feiyuchuixue/sz-boot-parent/ Product
- https://github.com/feiyuchuixue/sz-boot-parent/commit/aefaabfd7527188bfba3c8c9ee... Patch
- https://github.com/feiyuchuixue/sz-boot-parent/releases/tag/v1.3.3-beta Release Notes
- https://github.com/yuccun/CVE/blob/main/sz-boot-parent-VPE_Unauthorized_Password... Exploit Third Party Advisory
- https://vuldb.com/?ctiid.347744 Permissions Required Third Party Advisory VDB Entry
- https://vuldb.com/?id.347744 Third Party Advisory VDB Entry
- https://vuldb.com/?submit.754037 Third Party Advisory VDB Entry
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026