PocketBase performs password auth and OAuth2 unverified email linking
In order to be exploited you must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: a malicious actor register with the targeted user's email (it is unverified) at some later point in time the targeted user stumble on your app and decides to sign-up with OAuth2 (this step could be also initiated by the attacker by sending an invite email to the targeted user) …