← Retour aux CVEs
CVE-2026-25222
HIGH7.5
Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).
Details CVE
Score CVSS v3.17.5
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie2/2/2026
Derniere modification2/20/2026
Sourcenvd
Observations honeypot0
Produits affectes
polarlearn:polarlearn
Faiblesses (CWE)
CWE-200
References
https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741(security-advisories@github.com)
https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.