Security Advisory - Published 2026-06-12 - PbootCMS

PbootCMS CVE-2026-12066: password recovery exposure check

CVE-2026-12066 affects PbootCMS up to 3.2.12 in the member password recovery handler. The public report points to apps/home/controller/MemberController.php and the recovery flow that handles username, password, email, and verification code fields. If member login is enabled, treat this as an account takeover review.

Defensive scope: confirm version, disable risky recovery exposure, patch, and review account activity. Do not run public PoC code against production or third-party PbootCMS sites.

Who is affected

  • PbootCMS sites running 3.2.12 or earlier.
  • Sites with member registration, login, or password recovery enabled.
  • Chinese-language business sites where PbootCMS is installed once and rarely updated.
  • Agencies hosting several older PbootCMS sites on the same server.

10-minute self-check

Find the running PbootCMS copy

find /var/www /www /home -maxdepth 4 -iname "MemberController.php" 2>/dev/null
grep -Rni "PbootCMS\\|VERSION\\|3.2" /var/www /www /home 2>/dev/null | head -80

Confirm the site root that actually receives traffic. Backup copies and staging folders can create confusion; the public vhost path is the one that matters.

Check member recovery exposure

grep -Rni "function retrieve\\|retrieve(" apps/home/controller 2>/dev/null
grep -Rni "member\\|login\\|retrieve\\|password" apps config 2>/dev/null | head -120

If the member recovery handler exists and the public site exposes member login, prioritize patching. If the site does not need member accounts, disable the member area at the application and web-server layer.

Review account and admin changes

find data runtime static upload -type f -mtime -3 2>/dev/null | head -120
grep -Rni "login\\|member\\|admin\\|password" runtime logs data 2>/dev/null | tail -150

Look for unexpected password resets, new member accounts, admin login attempts, and file changes after the advisory time. Preserve logs before deleting suspicious data.

Safe fix path

  1. Upgrade PbootCMS to a fixed release from the official project or vendor channel.
  2. Temporarily disable public member password recovery if a fixed build is not available.
  3. Rotate administrator and member passwords after patching if recovery was exposed.
  4. Review uploads, templates, and modified PHP files for unexpected changes.
  5. Back up evidence before cleaning accounts or changing the database.

When to request help

  • The site is customer-facing and member login was enabled.
  • You cannot confirm the PbootCMS version or patch source.
  • There are new admin/member accounts, changed templates, or unknown PHP files.
  • The server hosts several PbootCMS sites and you need a batch review.

Ping7 repair path

Ping7 can check PbootCMS version state, recovery exposure, logs, account changes, templates, and suspicious PHP files. Start from CVE Repair and include the site URL, server panel, PHP version, and whether member login is used.

References