CVE-2025-52899
CVE-2025-52899 is a medium-severity vulnerability in Enalean Tuleap with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-204.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 0% (21st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-23041
- Weakness: CWE-204
- Affected product: Enalean Tuleap
- Published:
- Last modified:
Description
Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1750843170 and Tuleap Enterprise Edition prior to 16.8-4 and 16.9-2, the forgot password form allows for user enumeration. This is fixed in Tuleap Community Edition version 16.9.99.1750843170 and Tuleap Enterprise Edition 16.8-4 and 16.9-2.
Frequently asked questions
- What is CVE-2025-52899?
- Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1750843170 and Tuleap Enterprise Edition prior to 16.8-4 and 16.9-2, the forgot password form allows for user enumeration. This is fixed in Tuleap Community Edition version 16.9.99.1750843170 and Tuleap Enterprise Edition 16.8-4 and 16.9-2.
- How severe is CVE-2025-52899?
- CVE-2025-52899 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2025-52899 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-52899?
- CVE-2025-52899 primarily affects Enalean Tuleap. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-52899?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-52899 have an EU (EUVD) identifier?
- Yes. CVE-2025-52899 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-23041.
- When was CVE-2025-52899 published?
- CVE-2025-52899 was published on 2025-07-29 and last updated on 2026-06-17.
References
- https://github.com/Enalean/tuleap/commit/5c72d6d253016d38ed472eb7918f772d074ddb07
- https://github.com/Enalean/tuleap/security/advisories/GHSA-xqf3-xxxf-x3c2
- https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5c72d6d253016d38ed472eb7918f772d074ddb07
- https://tuleap.net/plugins/tracker/?aid=43674
Affected products (2)
- cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*
- cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*
More vulnerabilities in Enalean Tuleap
- CVE-2018-17298 — Critical (CVSS 9.8): An issue was discovered in Enalean Tuleap before 10.5. Reset password links are not invalidated after a user changes…
- CVE-2018-7538 — Critical (CVSS 9.8): A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18…
- CVE-2014-7178 — Critical (CVSS 9.3): Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which…
- CVE-2021-43806 — High (CVSS 8.8): Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. In affected…
- CVE-2021-41155 — High (CVSS 8.8): Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected…
- CVE-2021-41154 — High (CVSS 8.8): Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected…
All CVEs affecting Enalean Tuleap →
Other CWE-204 vulnerabilities
- CVE-2018-25350 — Critical (CVSS 9.8): userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid…
- CVE-2025-5485 — High (CVSS 8.6): User names used to access the web management interface are limited to the device identifier, which is a numerical…
- CVE-2026-33419 — High (CVSS 7.5): MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security…
- CVE-2025-12455 — High (CVSS 7.5): Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing. The…
- CVE-2025-46390 — High (CVSS 7.5): CWE-204: Observable Response Discrepancy
- CVE-2025-3092 — High (CVSS 7.5): An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.