PT-2026-32360 · Totara · Totara Lms
Saykino
·
Published
2026-04-13
·
Updated
2026-04-13
·
CVE-2026-31283
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Totara LMS versions prior to 19.1.5
Description
The forgot password API does not implement rate limiting for the target email address, which allows for an Email Bombing attack. Email Bombing is a technique where a large volume of emails is sent to a single address to overwhelm the recipient or the mail server.
Recommendations
Update to a version newer than 19.1.5.
As a temporary workaround, restrict access to the forgot password API endpoint to minimize the risk of exploitation.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Totara Lms