CVE Database · CVE-2025-41066
CVSS v3.1
5.3
CVSS v4.0
6.9
EPSS
0.21%
Published
Dec 2, 2025
Modified
Dec 3, 2025
Public PoC / Exploit
All weaponized →No public PoC or exploit code indexed for this CVE.
Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.
Description
Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NWeaknesses (CWE)
Affected Products (1)
References (1)