Description
Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins.

This issue was fixed in version 1.5.0.
Published: 2026-03-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Account Compromise
Action: Patch
AI Analysis

Impact

Raytha CMS is vulnerable to user enumeration in the password reset functionality. The system returns different error messages depending on whether the supplied login exists, allowing an attacker to confirm valid usernames. This information disclosure weakness (CWE-204) enables automatic brute‑force attacks against discovered accounts, potentially leading to credential compromise and subsequent unauthorized access.

Affected Systems

The vulnerability affects Raytha CMS implementations prior to the release of version 1.5.0. All earlier releases expose the same password reset endpoint behavior, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the weakness remotely by sending crafted password‑reset requests to the public endpoint; no additional privileges or system access are required beyond internet connectivity.

Generated by OpenCVE AI on March 17, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Raytha CMS to version 1.5.0 or later to eliminate the user‑enumeration flaw.
  • If an upgrade cannot be performed immediately, limit the rate of password‑reset requests or disable detailed error messages to reduce enumeration opportunities.
  • Monitor authentication logs for repeated enumeration patterns and block suspicious IP addresses.

Generated by OpenCVE AI on March 17, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
CPEs cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*
Vendors & Products Raytha
Raytha raytha
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. This issue was fixed in version 1.5.0.
Title User enumeration in Raytha CMS
Weaknesses CWE-204
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Raytha Raytha
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T13:49:56.219Z

Reserved: 2025-12-30T08:44:21.411Z

Link: CVE-2025-69243

cve-icon Vulnrichment

Updated: 2026-03-16T13:43:52.554Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:01.753

Modified: 2026-03-16T19:26:28.350

Link: CVE-2025-69243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:35Z

Weaknesses