GHSA-4g8m-5mj5-c8xg · Severity: medium · Ecosystem: nuget — Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available.
Conclusion & alert: CVE-2025-46736 is rated Moderate Risk (40.2/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.31%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-02 | 0.07% | 0.31% | +0.24% |
| 2 | 2026-01-20 | 0.04% | 0.07% | +0.03% |
| 3 | 2025-11-21 | — | 0.04% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
GHSA-4g8m-5mj5-c8xg · Severity: medium · Ecosystem: nuget — Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| umbraco | umbraco_cms | < 10.8.10 | cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:* |
| umbraco | umbraco_cms | >= 10.9.0, < 13.8.1 | cpe:2.3:a:umbraco:umbraco_cms:*:*:*:*:*:*:*:* |