CVE 9.8 CRITICAL

CVE-2026-31283_CVE-2026-31283

April 14, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.

AI Analysis

Email Bombing vulnerability due to lack of rate limiting in forgot password API

Basic Information

ID CVE-2026-31283

Source mitre

Published Apr 13, 2026 at 00:00

Modified Apr 14, 2026 at 16:32

Affected Product

Vendor Totara Learning

Product Totara LMS

Version v19.1.5 and before

Affected Versions n/a n/a n/a

CWE Classification

CWE-770

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Totara Learning

Product Totara LMS

Version v19.1.5 and before

References

{
    "lastseen": "",
    "description": "In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.",
    "published": "2026-04-13T00:00:00.000Z",
    "modified": "2026-04-14T16:32:37.891Z",
    "type": "cve",
    "title": "CVE-2026-31283",
    "source": "mitre",
    "references": "https://totara.com/\nhttps://github.com/saykino/CVE-2026-31283",
    "id": "CVE-2026-31283",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Totara LMS",
    "version": "v19.1.5 and before",
    "vendor": "Totara Learning",
    "ai_description": "Email Bombing vulnerability due to lack of rate limiting in forgot password API",
    "ai_severity": "Critical",
    "ai_vendor": "Totara Learning",
    "ai_product": "Totara LMS",
    "ai_version": "v19.1.5 and before",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply