{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T11:38:28.749","vulnerabilities":[{"cve":{"id":"CVE-2026-25222","sourceIdentifier":"security-advisories@github.com","published":"2026-02-02T23:16:09.923","lastModified":"2026-02-20T20:48:00.380","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms)."},{"lang":"es","value":"PolarLearn es un programa de aprendizaje gratuito y de código abierto. En 0-PRERELEASE-15 y versiones anteriores, una vulnerabilidad de ataque de temporización en el proceso de inicio de sesión permite a atacantes no autenticados determinar si una dirección de correo electrónico específica está registrada en la plataforma. Al medir el tiempo de respuesta del endpoint de inicio de sesión, un atacante puede distinguir entre direcciones de correo electrónico válidas e inválidas. Esto ocurre porque el servidor solo realiza el hash de contraseña Argon2, que es computacionalmente costoso, si el usuario existe en la base de datos. Las solicitudes para usuarios existentes tardan significativamente más tiempo (~650ms) que las solicitudes para usuarios no existentes (~160ms)."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*","matchCriteriaId":"98DA1036-1EFB-46E7-9C83-425B1C6E6F23"}]}]}],"references":[{"url":"https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}