Vulnerabilities (CVE)

Filtered by vendor Cisa Subscribe
Filtered by product Thorium
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2025-35432 1 Cisa 1 Thorium 2025-09-23 N/A 5.3 MEDIUM
CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes.
CVE-2025-35434 1 Cisa 1 Thorium 2025-09-23 N/A 4.2 MEDIUM
CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2.
CVE-2025-35433 1 Cisa 1 Thorium 2025-09-23 N/A 5.0 MEDIUM
CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.