CVE-2026-31283: In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address....
HIGH
CVSS 7.5
EPSS 0.02%
Exploit Available
1 PoC
Published: April 13, 2026 | Last Modified: April 13, 2026
Description
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.
Ghostwire Analysis — What This Means Practically
Exploitation Probability (EPSS): Low — 0.02% (5th percentile)
Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.
- High CVSS score indicates significant risk — exploitation could lead to substantial data exposure or system compromise.
- 1 proof-of-concept exploit available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.
Proof-of-Concept Exploits (1)
Security Coverage (2 articles)
References