CWE-640

Weak Password Recovery Mechanism for Forgotten Password

The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

We have discovered 10,094 live websites that are affected by CWE-640.

Available Reports

Website List

CVEs

Count - 12

CWE References

cwe.mitre.org

Website Distribution by Country

Number of websites using CWE-640

United States	4,411 websites

Germany	758 websites
Iran	719 websites
GB	544 websites
France	406 websites
Italy	314 websites
Cyprus	232 websites
Canada	218 websites
Denmark	176 websites
Australia	169 websites

Website Distribution by TLD

Number of websites using CWE-640

.com	5,501 websites
.org	552 websites
.net	321 websites
.de	249 websites
.co.uk	234 websites
.it	214 websites
.com.au	156 websites
.fr	129 websites
.dk	126 websites
.nl	126 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-640

Discovered	CVE	Description	Websites
Apr, 2026	CVE-2026-33707	Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms	9
Feb, 2026	CVE-2026-27593	Statamic is vulnerable to account takeover via password reset link injection	1
Dec, 2025	CVE-2025-14783	Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect	8,335
Nov, 2025	CVE-2025-62406	Piwigo is vulnerable to one-click account takeover by modifying the password-reset link	141
Feb, 2025	CVE-2025-1570	Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP	334
Jan, 2025	CVE-2024-11350	AdForest <= 5.1.6 - Privilege Escalation via Password Reset/Account Takeover	2
Nov, 2024	CVE-2024-11103	Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover	16
Oct, 2024	CVE-2024-9305	AppPresser – Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP	35
Jun, 2024	CVE-2024-6125	Login with phone number <= 1.7.34 - Insecure Password Reset Mechanism	2
Jun, 2024	CVE-2023-7264	Build App Online <= 1.0.22 - Account Takeover via Weak Password Reset Mechanism	44

The most widespread CVEs

List of the most common CVEs that are part of CWE-640

Discovered	CVE	Description	Websites
Dec, 2025	CVE-2025-14783	Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect	8,335
Jan, 2022	CVE-2022-22691	Umbraco Password Reset URL Poison	842
Aug, 2021	CVE-2021-37693	Re-use of email tokens in Discourse	335
Feb, 2025	CVE-2025-1570	Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP	334
Nov, 2025	CVE-2025-62406	Piwigo is vulnerable to one-click account takeover by modifying the password-reset link	141
Jun, 2024	CVE-2023-7264	Build App Online <= 1.0.22 - Account Takeover via Weak Password Reset Mechanism	44
Oct, 2024	CVE-2024-9305	AppPresser – Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP	35
Nov, 2024	CVE-2024-11103	Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover	16
Apr, 2026	CVE-2026-33707	Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms	9
Jun, 2024	CVE-2024-6125	Login with phone number <= 1.7.34 - Insecure Password Reset Mechanism	2

Websites affected by CWE-640

Top websites that are affected by CWE-640. Please click on the "Contact us" link to get more information.

Domain	Country	Rank
***************.eu	Netherlands	,**
**************.com	Canada	,**
**********.com	United States	,**
*********.com	United States	,**
*********.com	United States	,**
****.*******.com	United States	,**
*************.com	United States	,**
*********.com	United States	,**
**********.com	Australia	,*
***********.com	United States	,*

See full domain list