CVE-2026-40586

Name of the Vulnerable Software and Affected Versions blueprintUE versions prior to 4.2.0

Description The login form handler does not implement throttling for authentication attempts. This lack of IP-based rate limiting, per-account attempt counters, temporary lockouts, progressive delays (Tarpit), or CAPTCHA challenges allows an attacker to submit an unlimited number of credential guesses. While the password policy requires 10+ characters with mixed case, digits, and special characters, it does not prevent dictionary attacks, credential stuffing from breached databases, or targeted attacks against users with predictable passwords.

Recommendations Update to version 4.2.0.