CVE-2026-44679 | THREATINT

Description

Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-14 | Updated 2026-05-15 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 1.180.10

affected

References

github.com/.../tuist/security/advisories/GHSA-v7gr-7ww5-w4cx

cve.org (CVE-2026-44679)

nvd.nist.gov (CVE-2026-44679)

Download JSON