Is Polarlearn affected by CVE-2026-25222?

A timing attack vulnerability in PolarLearn's sign-in process allows attackers to enumerate registered email addresses without authentication, potentially enabling targeted phishing campaigns and social engineering attacks against your user base.

CVE-2026-25222

HIGH

2026-02-02 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:01 vuln.today

PoC Detected

Feb 20, 2026 - 20:48 vuln.today

Public exploit code

Patch Released

Feb 20, 2026 - 20:48 nvd

Patch available

CVE Published

Feb 02, 2026 - 23:16 nvd

HIGH 7.5

Description

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms).

Analysis

Email enumeration in PolarLearn through timing analysis of the login endpoint allows unauthenticated attackers to identify valid user accounts by observing response time differences between existing and non-existent users. The vulnerability stems from the server only performing expensive password hashing for registered accounts, creating a measurable timing side-channel. …

Remediation

Within 24 hours: Inventory all systems running PolarLearn 0-PRERELEASE-15 or earlier and assess user population exposure. Within 7 days: Apply the available vendor patch to all affected instances and validate successful deployment across environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: +20

CVE-2026-25222 vulnerability details – vuln.today

Back

CVE-2026-25222

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-25222

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code