Description
Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges.

This issue was fixed in version 1.4.6.
Published: 2026-03-16
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Credential Access via Brute‑Force
Action: Apply Patch
AI Analysis

Impact

Raytha CMS does not implement any brute‑force protection, allowing attackers to send an unlimited number of automated login requests against the authentication endpoint. This weakness is a failure of brute‑force protection (CWE‑307) and can enable credential stuffing or unauthorized access. The impact is that compromised user credentials may grant an attacker access to sensitive application data and functions.

Affected Systems

The vulnerability affects all Raytha CMS releases prior to version 1.4.6. Users running those versions are exposed to brute‑force login attempts, while the issue is resolved in 1.4.6 and later.

Risk and Exploitability

The CVSS base score of 6.9 indicates moderate severity, and the EPSS score of less than 1 % suggests a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending many requests to the login endpoint from any location, provided the application does not enforce connection limits or additional delays. The exploit requires only network access to the web interface and does not rely on privileged configuration, making it straightforward to test if the system lacks external anti‑brute‑force controls. The overall risk is moderate given the severity metric but low due to the low probability of real‑world exploitation without external defenses.

Generated by OpenCVE AI on March 22, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Raytha CMS to version 1.4.6 or newer
  • Deploy rate limiting or firewall rules to restrict authentication attempts from a single IP address
  • Enable multi‑factor authentication for accounts with elevated privileges to reduce impact of compromised credentials
  • Monitor authentication logs for abnormal patterns and investigate suspicious activity

Generated by OpenCVE AI on March 22, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Raytha
Raytha raytha
CPEs cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*
Vendors & Products Raytha
Raytha raytha
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.
Title Lack of bruteforce protection in Raytha CMS
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Raytha Raytha
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-16T13:49:55.933Z

Reserved: 2025-12-30T08:44:21.411Z

Link: CVE-2025-69246

cve-icon Vulnrichment

Updated: 2026-03-16T13:43:48.615Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:18:02.093

Modified: 2026-03-16T19:21:32.470

Link: CVE-2025-69246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:33Z

Weaknesses