CVEs classified under CWE-204, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2018-25350 — CVSS 9.8 (critical): userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending…
CVE-2025-5485 — CVSS 8.6 (high): User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than…
CVE-2026-33419 — CVSS 7.5 (high): MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service)…
CVE-2025-12455 — CVSS 7.5 (high): Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing. The vulnerability could lead to…
CVE-2025-3092 — CVSS 7.5 (high): An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
CVE-2026-4113 — CVSS 7.2 (high): An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN…
CVE-2026-54445: vantage6 is an open-source infrastructure for privacy preserving analysis. Versions prior to 5.0.0 provide an initial user with username…
CVE-2021-47717: IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by…
CVE-2025-34155: Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure…
CVE-2025-2910: User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to…
CVE-2025-23214: Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager…
CVE-2026-34264 — CVSS 6.5 (medium): During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an…
CVE-2025-67874 — CVSS 6.5 (medium): ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by…
CVE-2025-66307 — CVSS 6.5 (medium): This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages…
CVE-2023-46170 — CVSS 6.5 (medium): IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily read files…
CVE-2026-43926: FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint…
CVE-2024-28232 — CVSS 6.2 (medium): Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the…
CVE-2025-9824 — CVSS 5.9 (medium): ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid…
CVE-2024-40627 — CVSS 5.8 (medium): Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`…
CVE-2026-53947 — CVSS 5.3 (medium): Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made…
CVE-2026-45620 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It…
CVE-2026-44306 — CVSS 5.3 (medium): Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password…
CVE-2024-0391 — CVSS 5.3 (medium): The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the…
CVE-2026-20195 — CVSS 5.3 (medium): A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user…
CVE-2026-24468 — CVSS 5.3 (medium): OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests…
CVE-2026-40485 — CVSS 5.3 (medium): ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login)…
CVE-2025-3716: User enumeration in ESET Protect (on-prem) via Response Timing.
CVE-2026-33323 — CVSS 5.3 (medium): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and…
CVE-2026-33688 — CVSS 5.3 (medium): WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at…
CVE-2026-30876 — CVSS 5.3 (medium): Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid…
CVE-2025-69243 — CVSS 5.3 (medium): Raytha CMS is vulnerable to User Enumeration in password reset functionality. Difference in messages could allow an attacker to determine…
CVE-2025-13460 — CVSS 5.3 (medium): IBM Aspera Console 3.3.0 through 3.4.8 could allow an attacker to enumerate usernames due to an observable response discrepancy.
CVE-2026-31901 — CVSS 5.3 (medium): Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8…
CVE-2026-31888 — CVSS 5.3 (medium): Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns…
CVE-2026-28358 — CVSS 5.3 (medium): NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different…
CVE-2026-28288 — CVSS 5.3 (medium): Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts…
CVE-2026-25138 — CVSS 5.3 (medium): Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using…
CVE-2025-62512 — CVSS 5.3 (medium): Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset…
CVE-2026-27480 — CVSS 5.3 (medium): Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a…
CVE-2026-26744 — CVSS 5.3 (medium): A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd…
CVE-2019-25338 — CVSS 5.3 (medium): DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify…
CVE-2026-24664 — CVSS 5.3 (medium): The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username…
CVE-2026-23511 — CVSS 5.3 (medium): ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in…
CVE-2025-69413 — CVSS 5.3 (medium): In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
CVE-2025-62181 — CVSS 5.3 (medium): Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication…
CVE-2025-40806 — CVSS 5.3 (medium): A vulnerability has been identified in Gridscale X Prepay (All versions < V4.2.1). The affected application is vulnerable to user…
CVE-2025-65899 — CVSS 5.3 (medium): Kalmia CMS version 0.2.0 contains a user enumeration vulnerability in its authentication mechanism. The application returns different error…
CVE-2025-12994 — CVSS 5.3 (medium): Medtronic CareLink Network allows an unauthenticated remote attacker to initiate a request for security questions to an API endpoint that…
CVE-2025-59116 — CVSS 5.3 (medium): Windu CMS is vulnerable to User Enumeration. This issue occurs during logon, where a difference in messages could allow an attacker to…