Cisa: >> Thorium Security Vulnerabilities
CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-09-17
CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-09-17
CISA Thorium does not validate TLS certificates when connecting to Elasticsearch. An unauthenticated attacker with access to a Thorium cluster could impersonate the Elasticsearch service. Fixed in 1.1.2.
CVSS Score
4.2
EPSS Score
0.0
Published
2025-09-17