Horde · Horde Groupware · CVE-2025-41066
**Name of the Vulnerable Software and Affected Versions**
Horde Groupware version 5.2.22
**Description**
An unauthenticated attacker can determine the existence of valid accounts on the system. This is achieved by sending an HTTP request to the ''/imp/attachment.php'' endpoint with the parameters `id` and `u`. If the specified user exists, the server returns the download of an empty file. If the user does not exist, no download is initiated, revealing whether the user is valid.
**Recommendations**
Update to a newer version that contains a fix for this vulnerability.