JhumanJ OpnForm CVE-2025-11443
LOWSeverity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in JhumanJ OpnForm up to 1.9.3. This affects an unknown function of the file /api/password/email of the component Forgotten Password Handler. This manipulation causes information exposure through discrepancy. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be exploited. This issue is currently aligned with Laravel issue #46465, which is why no mitigation action was taken.
AnalysisAI
OpnForm versions up to 1.9.3 expose sensitive information through a timing-based discrepancy in the forgotten password handler endpoint (/api/password/email), allowing remote unauthenticated attackers to enumerate valid email addresses or extract partial account information with high attack complexity. The vulnerability is rooted in a Laravel framework issue (Laravel #46465) for which the vendor has taken no mitigation action. Publicly available exploit code exists, though EPSS scoring (0.04%) indicates low real-world exploitation likelihood despite theoretical exploitability.
Technical ContextAI
The vulnerability exists in the Forgotten Password Handler component, specifically the /api/password/email endpoint used for password reset requests. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), manifested through timing-based information disclosure. The attack exploits a discrepancy in response times or error messages between requests for valid versus invalid email addresses-a classic timing attack vector. This issue is aligned with a known Laravel framework vulnerability (issue #46465), indicating the flaw originates in the underlying framework layer rather than OpnForm-specific code. The high attack complexity (AC:H) reflects the difficulty of reliably detecting and exploiting timing differences over a network.
RemediationAI
Upgrade JhumanJ OpnForm to a version released after 1.9.3 once available. No specific patched version is confirmed in the provided data; contact the vendor or monitor their releases for a fix addressing the timing discrepancy in /api/password/email. As a temporary compensating control, implement rate limiting on the /api/password/email endpoint to prevent repeated requests used for timing analysis, and consider adding artificial delay to responses (constant-time response design) to mask timing differences between valid and invalid email addresses. If immediate remediation is unavailable, restrict access to the password reset endpoint from known corporate IP ranges or behind an additional authentication layer (e.g., CAPTCHA or email verification step) to raise exploitation complexity. Note that these controls may degrade user experience for legitimate password reset requests. The issue is currently a lower-priority fix given the low EPSS score and lack of KEV listing, but should be applied during regular patch cycles.
Share
External POC / Exploit Code
Leaving vuln.today