CVE-2025-41066

Name of the Vulnerable Software and Affected Versions Horde Groupware version 5.2.22

Description An unauthenticated attacker can determine the existence of valid accounts on the system. This is achieved by sending an HTTP request to the ''/imp/attachment.php'' endpoint with the parameters id and u. If the specified user exists, the server returns the download of an empty file. If the user does not exist, no download is initiated, revealing whether the user is valid.

Recommendations Update to a newer version that contains a fix for this vulnerability.