Primary

Context

Totara LMS Forgot Password API Rate Limiting Vulnerability Allowing Email Bombing

Vulnerability

A vulnerability exists in Totara LMS versions through 19.1.5 in the forgot password API, which lacks rate limiting for the target email address. This oversight can be exploited to launch an email bombing attack on the victim's email.

Impact

Exploitation of this vulnerability can lead to an email bombing attack, where a victim's email is flooded with messages, potentially causing disruption or inconvenience.

Remediation

It is recommended to implement rate limiting for the forgot password API to prevent abuse.

Added: Apr 13, 2026, 3:48 PM

Updated: Apr 13, 2026, 3:48 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.2

exploitability

7.4

remediation

0.0

relevance

5.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.2

exploitability

7.4

remediation

0.0

relevance

5.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totara LMS Forgot Password API Rate Limiting Vulnerability Allowing Email Bombing

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating