Total
132 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-31888 | 1 Shopware | 1 Shopware | 2026-06-17 | N/A | 5.3 MEDIUM |
| Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15. | |||||
| CVE-2026-28358 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.3 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28288 | 1 Dify | 1 Dify | 2026-06-17 | N/A | 5.3 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue. | |||||
| CVE-2026-27480 | 1 Static-web-server | 1 Static Web Server | 2026-06-17 | N/A | 5.3 MEDIUM |
| Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0. | |||||
| CVE-2026-26744 | 1 Formalms | 1 Formalms | 2026-06-17 | N/A | 5.3 MEDIUM |
| A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy. | |||||
| CVE-2026-25509 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-06-17 | N/A | 5.3 MEDIUM |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0. | |||||
| CVE-2026-25138 | 1 Cern | 1 Rucio | 2026-06-17 | N/A | 5.3 MEDIUM |
| Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue. | |||||
| CVE-2026-24664 | 1 Gunet | 1 Open Eclass Platform | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2. | |||||
| CVE-2026-24332 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." | |||||
| CVE-2026-23511 | 1 Zitadel | 1 Zitadel | 2026-06-17 | N/A | 5.3 MEDIUM |
| ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. | |||||
| CVE-2026-21484 | 1 Mintplexlabs | 1 Anythingllm | 2026-06-17 | N/A | 5.3 MEDIUM |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. | |||||
| CVE-2025-9824 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. PatchesThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. Technical DetailsThe vulnerability was caused by different response times when: * A valid username was provided (password hashing occurred) * An invalid username was provided (no password hashing occurred) The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. WorkaroundsNo workarounds are available. Users should upgrade to the patched version. References * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account | |||||
| CVE-2025-9109 | 1 Portabilis | 1 I-diario | 2026-06-17 | 2.6 LOW | 3.7 LOW |
| A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-69413 | 1 Gitea | 1 Gitea | 2026-06-17 | N/A | 5.3 MEDIUM |
| In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | |||||
| CVE-2025-67874 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 6.5 MEDIUM |
| ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue. | |||||
| CVE-2025-67500 | 1 Joinmastodon | 1 Mastodon | 2026-06-17 | N/A | 3.7 LOW |
| Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3. | |||||
| CVE-2025-66307 | 1 Getgrav | 1 Grav-plugin-admin | 2026-06-17 | N/A | 6.5 MEDIUM |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1. | |||||
| CVE-2025-65899 | 1 Difuse | 1 Kalmia | 2026-06-17 | N/A | 5.3 MEDIUM |
| Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error messages for invalid users (user_not_found) versus valid users with incorrect passwords (invalid_password). This observable response discrepancy allows unauthenticated attackers to enumerate valid usernames on the system. | |||||
| CVE-2025-62512 | 1 Piwigo | 1 Piwigo | 2026-06-17 | N/A | 5.3 MEDIUM |
| Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available. | |||||
| CVE-2025-62236 | 1 Flyfrontier | 1 Frontier Airlines | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks. | |||||