Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.4
Smanga 3.2.7 allows attackers to reset any user's password
CVE-2025-70833
Summary
An attacker can reset any user's password, including the administrator's, without needing a password. This could allow them to take full control of the affected account. Update Smanga to a fixed version to prevent this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lkw199711 | smanga | 3.2.7 | – |
Original title
An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulat...
Original description
An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php.
nvd CVSS3.1
9.4
Vulnerability type
CWE-287
Improper Authentication
CWE-639
Authorization Bypass Through User-Controlled Key
- https://github.com/LX-66-LX/cve/issues/4 Broken Link
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026