Cisa: >> Thorium >> 1.1.0 Security Vulnerabilities
CISA Thorium does not rate limit requests to send account verification email messages. A remote unauthenticated attacker can send unlimited messages to a user who is pending verification. Fixed in 1.1.1 by adding a rate limit set by default to 10 minutes.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-09-17
CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-09-17