CVE-2025-35435

CISA Thorium accepts a stream split size of zero then divides by this value. A remote, authenticated attacker could cause the service to crash. Fixed in commit 89101a6...

CVE-2025-35435

CISA Thorium accepts a stream split size of zero then divides by this value. A remote, authenticated attacker could cause the service to crash. Fixed in commit 89101a6...

CVE-2025-35430

CISA Thorium does not adequately validate the paths of downloaded files via 'downloadephemeral' and 'downloadchildren'. A remote, authenticated attacker could access arbitrary files subject to file system permissions. Fixed in 1.1.2...

CVE-2025-35430

CVE-2025-35430 affects the CISA Thorium framework. The vulnerability stems from inadequate validation of downloaded file paths in the functions download_ephemeral and download_children, allowing a remote, authenticated attacker to access arbitrary files subject to filesystem permissions. Affected...

PT-2025-38230

Name of the Vulnerable Software and Affected Versions: Thorium versions prior to 1.1.1 Description: Thorium does not escape user-controlled strings used in LDAP queries. An authenticated remote attacker can modify LDAP authorization data, such as group memberships. Recommendations: Update to...

PT-2025-38231

Name of the Vulnerable Software and Affected Versions: Thorium versions prior to 1.1.1 Description: Thorium does not limit the rate of requests to send account verification email messages. This allows a remote, unauthenticated attacker to send an unlimited number of messages to a user awaiting...

PT-2025-38235

Name of the Vulnerable Software and Affected Versions CISA Thorium affected versions not specified Description CISA Thorium uses the .unwrap function to handle errors related to account verification email messages. An unauthenticated remote attacker could cause a crash by providing a specially...