Total
134 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28358 | 1 Nocodb | 1 Nocodb | 2026-06-17 | N/A | 5.3 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-28288 | 1 Dify | 1 Dify | 2026-06-17 | N/A | 5.3 MEDIUM |
| Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue. | |||||
| CVE-2026-27480 | 1 Static-web-server | 1 Static Web Server | 2026-06-17 | N/A | 5.3 MEDIUM |
| Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0. | |||||
| CVE-2026-26744 | 1 Formalms | 1 Formalms | 2026-06-17 | N/A | 5.3 MEDIUM |
| A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy. | |||||
| CVE-2026-25509 | 1 Ci4-cms-erp | 1 Ci4ms | 2026-06-17 | N/A | 5.3 MEDIUM |
| CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0. | |||||
| CVE-2026-25138 | 1 Cern | 1 Rucio | 2026-06-17 | N/A | 5.3 MEDIUM |
| Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue. | |||||
| CVE-2026-24664 | 1 Gunet | 1 Open Eclass Platform | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2. | |||||
| CVE-2026-24468 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the system. When a non-existent email is provided in the login parameter, the endpoint returns an HTTP 400 response (Bad Request). When a valid email is supplied, the endpoint responds with HTTP 200. This difference in server responses creates an observable discrepancy that allows an attacker to reliably determine which emails are registered in the application. By automating requests with a list of possible email addresses, an attacker can quickly build a list of valid accounts without any authentication. The endpoint should return a consistent response regardless of whether the username exists in order to prevent account enumeration. Version 2.0.13 fixes this issue. | |||||
| CVE-2026-24332 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline." | |||||
| CVE-2026-24097 | 1 Checkmk | 1 Checkmk | 2026-06-17 | N/A | 4.3 MEDIUM |
| Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/register_existing endpoint, which could lead to information disclosure. | |||||
| CVE-2026-23511 | 1 Zitadel | 1 Zitadel | 2026-06-17 | N/A | 5.3 MEDIUM |
| ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating through usernames and userIDs. This vulnerability is fixed in 4.9.1 and 3.4.6. | |||||
| CVE-2026-21484 | 1 Mintplexlabs | 1 Anythingllm | 2026-06-17 | N/A | 5.3 MEDIUM |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. | |||||
| CVE-2026-20195 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system. | |||||
| CVE-2025-9824 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. PatchesThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. Technical DetailsThe vulnerability was caused by different response times when: * A valid username was provided (password hashing occurred) * An invalid username was provided (no password hashing occurred) The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. WorkaroundsNo workarounds are available. Users should upgrade to the patched version. References * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account | |||||
| CVE-2025-9109 | 1 Portabilis | 1 I-diario | 2026-06-17 | 2.6 LOW | 3.7 LOW |
| A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-69413 | 1 Gitea | 1 Gitea | 2026-06-17 | N/A | 5.3 MEDIUM |
| In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. | |||||
| CVE-2025-69243 | 1 Raytha | 1 Raytha | 2026-06-17 | N/A | 5.3 MEDIUM |
| Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. This issue was fixed in version 1.5.0. | |||||
| CVE-2025-67874 | 1 Churchcrm | 1 Churchcrm | 2026-06-17 | N/A | 6.5 MEDIUM |
| ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue. | |||||
| CVE-2025-67807 | 1 Sagedpw | 1 Sage Dpw | 2026-06-17 | N/A | 4.7 MEDIUM |
| The login mechanism of Sage DPW 2025_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behaviour in newer versions. | |||||
| CVE-2025-67806 | 1 Sagedpw | 1 Sage Dpw | 2026-06-17 | N/A | 3.7 LOW |
| The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions. | |||||