CVE-2026-31283

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

13/04/2026

Last modified:

13/04/2026

Description

In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.

Impact

References to Advisories, Solutions, and Tools

https://github.com/saykino/CVE-2026-31283
https://totara.com/