{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T00:29:08.043","vulnerabilities":[{"cve":{"id":"CVE-2025-56676","sourceIdentifier":"cve@mitre.org","published":"2025-09-30T16:15:53.097","lastModified":"2025-10-18T01:49:15.320","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log in as another user, due to improper validation of token-user linkage. This allows remote attackers to gain unauthorized access to any user account by exploiting the password reset mechanism. The vulnerability occurs because the reset token is not correctly bound to the requesting account and is accepted for other user emails during login, enabling privilege escalation and information disclosure."},{"lang":"es","value":"TitanSystems Zender v3.9.7 contiene una vulnerabilidad de toma de control de cuenta en su funcionalidad de restablecimiento de contraseña. Una contraseña temporal o un token de restablecimiento emitido a un usuario puede ser utilizado para iniciar sesión como otro usuario, debido a una validación inadecuada de la vinculación entre el token y el usuario. Esto permite a atacantes remotos obtener acceso no autorizado a cualquier cuenta de usuario explotando el mecanismo de restablecimiento de contraseña. La vulnerabilidad se produce porque el token de restablecimiento no está correctamente vinculado a la cuenta solicitante y es aceptado para otros correos electrónicos de usuario durante el inicio de sesión, lo que permite la escalada de privilegios y la revelación de información."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-1259"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:titansystems:zender:3.9.7:*:*:*:*:*:*:*","matchCriteriaId":"AC5D913E-7304-4EE3-8C14-A9E3630551DB"}]}]}],"references":[{"url":"https://codecanyon.net/item/zender-android-mobile-devices-as-sms-gateway-saas-platform/26594230","source":"cve@mitre.org","tags":["Product"]},{"url":"https://darklotus.medium.com/cve-2025-56676-critical-vulnerability-in-zender-gateway-allows-account-takeover-2b5bcb50c762","source":"cve@mitre.org","tags":["Third Party Advisory"]},{"url":"https://previews.titansystems.ph/zender/dashboard/auth","source":"cve@mitre.org","tags":["Permissions Required"]}]}}]}