CVE-2025-46736

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-46736

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46736.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-46736

Aliases

GHSA-4g8m-5mj5-c8xg

Published

2025-05-06T17:08:23.503Z

Modified

2026-04-10T05:28:32.978842Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Umbraco Makes User Enumeration Feasible Based on Timing of Login Response

Details

Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-204"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46736.json"
}

References

Affected packages

Git / github.com/umbraco/umbraco-cms

Affected ranges

Type

GIT

Repo

https://github.com/umbraco/umbraco-cms

Events

Introduced

38712dce16aa9412af3d81d4884bfc6e5533e019

Fixed

dcbbed4160488278a6e7742fd6ada876c6e87f79

Database specific

{
    "versions": [
        {
            "introduced": "11.0.0-rc1"
        },
        {
            "fixed": "13.8.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/umbraco/umbraco-cms

Events

Introduced

Fixed

ba95c12f099fe3d6f069c326dff13d0edbfe87e8

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.8.10"
        }
    ]
}

Affected versions

4.*

4.7.2

Release-4.*

Release-4.5.2

Release-4.6.0

Other

Sprint-Juno-A

release-netcore-alpha002

release-netcore-alpha004

release-10.*

release-10.0.0-rc1

release-10.1.0-rc

release-10.6.0-rc

release-10.7.0

release-10.8.0

release-10.8.0-rc

release-10.8.1

release-10.8.2

release-10.8.3

release-10.8.4

release-10.8.5

release-10.8.6

release-10.8.7

release-10.8.8

release-10.8.9

release-12.*

release-12.3.4

release-6.*

release-6.1.0-beta

release-7.*

release-7.0.0

release-7.0.0-RC

release-7.0.0-beta

release-7.1.0

release-7.1.0-RC

release-7.1.1

release-7.1.2

release-7.1.3

release-7.1.4

release-7.2.0-alpha

release-7.2.0-beta

release-7.2.0-beta2

release-9.*

release-9.0.0

release-9.0.0-beta001

release-9.0.0-beta002

release-9.0.0-beta003

release-9.0.0-beta004

release-9.0.0-rc002

release-9.0.0-rc003

release-9.0.0-rc004

release-netcore-0.*

release-netcore-0.5.0-alpha001

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46736.json"