231 matches found
PT-2026-52071
Name of the Vulnerable Software and Affected Versions Ghost versions 5.18.0 through 6.21.0 Description A discrepancy in responses from the members signin endpoints allows an unauthenticated attacker to determine if a specific email address is registered as a member of the site. Recommendations...
EUVD-2026-38393
Filament: Timing-based user enumeration on login page...
CVE-2026-48166
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...
CVE-2026-48166
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...
CVE-2026-48166
CVE-2026-48166 — Filament timing-based user enumeration on login page . Affects Filament login page in versions 4.0.0–4.11.5 and 5.6.5 of Filament (Laravel component library). An observable timing discrepancy on login allows unauthenticated attackers to determine whether a given email is register...
PT-2026-51387
Name of the Vulnerable Software and Affected Versions Filament versions 4.0.0 through 4.11.4 Filament versions 5.0.0 through 5.6.4 Description The login page contains a timing discrepancy that enables unauthenticated attackers to perform email enumeration. This allows an attacker to determine if ...
CVE-2026-56267
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs,...
CVE-2026-56267
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs,...
EUVD-2026-38118
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs,...
CVE-2026-56267
Flowise prior to version 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint. The endpoint returns full user objects including PII to unauthenticated attackers, enabling enumeration of valid email addresses and harvesting of sensitive data su...
Astra Linux – Vulnerability in Python-Django
A issue was discovered in Django versions 5.1.1, 5.0.9, and 4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view that implements password reset processes, allows remote attackers to enumerate user email addresses by sending password reset requests and observing the...
CVE-2026-54396
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...
EUVD-2026-36572
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...
CVE-2026-54396 MISP AuthKey edit endpoint allows authenticated user email enumeration
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...
CVE-2026-54396
CVE-2026-54396 describes an information disclosure in the MISP AuthKey edit functionality. When a validation error occurs, the user dropdown was populated from the attacker-controlled AuthKey.user_id in the submitted request, enabling an authenticated user with edit permission to enumerate user e...
CVE-2026-54396 MISP AuthKey edit endpoint allows authenticated user email enumeration
An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.userid value from the submitted request data. An authenticated user with...
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Strapi
CVE-2026-27886 Automated Exploit - Usage Guide What This S...
CVE-2026-7385
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...
CVE-2026-33877
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...
CVE-2026-35676
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sendin...