GHSA-h27m-3qw8-3pw8 · Severity: medium · Ecosystem: go — Possible ORM Leak Vulnerability in the Harbor
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.
Conclusion & alert: CVE-2025-30086 is rated Moderate Risk (40.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.39%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-05-21 | 0.05% | 0.39% | +0.33% |
| 2 | 2026-03-30 | 0.05% | 0.05% | +0.00% |
| 3 | 2026-02-28 | — | 0.05% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.9 | 3.1 | MEDIUM |
|
1.2 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-h27m-3qw8-3pw8 · Severity: medium · Ecosystem: go — Possible ORM Leak Vulnerability in the Harbor
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||