Total
134 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67500 | 1 Joinmastodon | 1 Mastodon | 2026-06-17 | N/A | 3.7 LOW |
| Mastodon is a free, open-source social network server based on ActivityPub. Versions 4.2.27 and prior, 4.3.0-beta.1 through 4.3.14, 4.4.0-beta.1 through 4.4.9, 4.5.0-beta.1 through 4.5.2 have discrepancies in error handling which allow checking whether a given status exists by sending a request with a non-English Accept-Language header. Using this behavior, an attacker who knows the identifier of a particular status they are not allowed to see can confirm whether this status exists or not. This cannot be used to learn the contents of the status or any other property besides its existence. This issue is fixed in versions 4.2.28, 4.3.15, 4.4.10 and 4.5.3. | |||||
| CVE-2025-66307 | 1 Getgrav | 1 Grav-plugin-admin | 2026-06-17 | N/A | 6.5 MEDIUM |
| This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their associated email addresses through distinct server responses. This allows an attacker to enumerate users and disclose sensitive email addresses, which can be leveraged for targeted attacks such as password spraying, phishing, or social engineering. This vulnerability is fixed in 1.11.0-beta.1. | |||||
| CVE-2025-65899 | 1 Difuse | 1 Kalmia | 2026-06-17 | N/A | 5.3 MEDIUM |
| Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error messages for invalid users (user_not_found) versus valid users with incorrect passwords (invalid_password). This observable response discrepancy allows unauthenticated attackers to enumerate valid usernames on the system. | |||||
| CVE-2025-62512 | 1 Piwigo | 1 Piwigo | 2026-06-17 | N/A | 5.3 MEDIUM |
| Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. The endpoint at password.php?action=lost returns distinct messages for valid vs. invalid accounts, enabling user enumeration. As of time of publication, no known patches are available. | |||||
| CVE-2025-62236 | 1 Flyfrontier | 1 Frontier Airlines | 2026-06-17 | N/A | 5.3 MEDIUM |
| The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks. | |||||
| CVE-2025-62181 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html. | |||||
| CVE-2025-61907 | 1 Icinga | 1 Icinga | 2026-06-17 | N/A | 6.5 MEDIUM |
| Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13. | |||||
| CVE-2025-61789 | 1 Icinga | 1 Icinga Db Web | 2026-06-17 | N/A | 5.3 MEDIUM |
| Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used. | |||||
| CVE-2025-5485 | 2026-06-17 | N/A | 8.6 HIGH | ||
| User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences. | |||||
| CVE-2025-59116 | 1 Windu | 1 Windu Cms | 2026-06-17 | N/A | 5.3 MEDIUM |
| Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to determine if the login is valid or not, enabling a brute force attack with valid logins. Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250. | |||||
| CVE-2025-58586 | 1 Sick | 5 Baggage Analytics, Enterprise Analytics, Logistic Diagnostic Analytics and 2 more | 2026-06-17 | N/A | 5.3 MEDIUM |
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | |||||
| CVE-2025-58442 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor. Version 3.21.16 fixes the issue. As a workaround, rate-limit the mutation to reduce the impact. | |||||
| CVE-2025-56764 | 1 Trivisionsecurity | 2 Trivision Nc-227wf, Trivision Nc-227wf Firmware | 2026-06-17 | N/A | 5.3 MEDIUM |
| Trivision NC-227WF firmware 5.80 (build 20141010) login mechanism reveals whether a username exists or not by returning different error messages ("Unknown user" vs. "Wrong password"), allowing an attacker to enumerate valid usernames. | |||||
| CVE-2025-54834 | 1 Opexustech | 1 Foiaxpress Public Access Link | 2026-06-17 | N/A | 5.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | |||||
| CVE-2025-54129 | 1 Psu | 1 Haxiam | 2026-06-17 | N/A | 4.3 MEDIUM |
| HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management platform. In versions 11.0.4 and below, the application returns a 200 response when requesting the data of a valid user and a 404 response when requesting the data of an invalid user. This can be used to infer the existence of valid user accounts. An authenticated attacker can use automated tooling to brute force potential usernames and use the application's response to identify valid accounts. This can be used in conjunction with other vulnerabilities, such as the lack of authorization checks, to enumerate and deface another user's sites. This is fixed in version 11.0.5. | |||||
| CVE-2025-52899 | 1 Enalean | 1 Tuleap | 2026-06-17 | N/A | 5.3 MEDIUM |
| Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1750843170 and Tuleap Enterprise Edition prior to 16.8-4 and 16.9-2, the forgot password form allows for user enumeration. This is fixed in Tuleap Community Edition version 16.9.99.1750843170 and Tuleap Enterprise Edition 16.8-4 and 16.9-2. | |||||
| CVE-2025-49187 | 1 Sick | 1 Field Analytics | 2026-06-17 | N/A | 5.3 MEDIUM |
| For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | |||||
| CVE-2025-48015 | 2026-06-17 | N/A | 3.7 LOW | ||
| Failed login response could be different depending on whether the username was local or central. | |||||
| CVE-2025-46736 | 1 Umbraco | 1 Umbraco Cms | 2026-06-17 | N/A | 5.3 MEDIUM |
| Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds are available. | |||||
| CVE-2025-46390 | 2026-06-17 | N/A | 7.5 HIGH | ||
| CWE-204: Observable Response Discrepancy | |||||