CVE-2025-41066

Publication date 2 December 2025

Last updated 10 December 2025

Ubuntu priority

Description

Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download of an empty file; if it does not exist, no download will be initiated, which unequivocally reveals the validity of the user.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php-horde-groupware	26.04 LTS resolute	Not in release
	25.10 questing	Not in release
	25.04 plucky	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-41066
https://www.incibe.es/en/incibe-cert/notices/aviso/disclosure-sensitive-information-horde-groupware

CVE-2025-41066

Description

Status

References

Other references

Access our resources on patching vulnerabilities