CVE-2017-8385by Jeremyin Security Bulletinson Posted on May 1, 2017 Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message.