CVE-2026-39851

Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118...

CVE-2026-10864

The vulnerability CVE-2026-10864 affects MISP dashboard widgets (New Users and New Organisations). The issue stems from how field filtering and redaction are applied to the user-selected field list, which could leave the field set empty and cause the underlying query to fall back to returning uni...

CVE-2026-10864 MISP Dashboard widget field selection may expose restricted user and organisation data

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause th...

UBUNTU-CVE-2026-48846

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var value in an e-mail message, which may lead to information disclosure or access-control bypass...

CVE-2026-7385 Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

Plane 安全漏洞

Plane is an open-source, self-hosted project planning tool developed by Plane OpenSource. Versions of Plane prior to 1.3.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of the user’s email address as a query parameter in the authentication process, which could lea...

WordPress EventON < 2.2.8 - Unauthenticated Email Address Disclosure vulnerability

Unauthenticated Email Address Disclosure vulnerability discovered by Erwan LR WPScan in WordPress Plugin EventON versions 2.2.8...

WordPress EventON < 4.5.5 - Unauthenticated Email Address Disclosure vulnerability

Unauthenticated Email Address Disclosure vulnerability discovered by Erwan LR WPScan in WordPress Plugin EventON versions 4.5.5...

CVE-2021-22892

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks...

CVE-2017-18887

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It discloses the team creator's e-mail address to members...

CVE-2025-13660

The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This...

CVE-2025-13660 Guest Support <= 1.2.3 - Unauthenticated User Email Disclosure in guest_support_handler AJAX Endpoint

The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This...

CVE-2025-13660 Guest Support <= 1.2.3 - Unauthenticated User Email Disclosure in guest_support_handler AJAX Endpoint

The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This...

CVE-2025-13660

CVE-2025-13660 (Guest Support, WordPress): The vulnerability is an unauthenticated User Email Disclosure in versions up to and including 1.2.3. An exposed AJAX endpoint (guest_support_handler=ajax) allows arbitrary querying of users (request=get_users) without authentication or capability checks,...

PT-2025-50891

The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This...

Grav User Enumeration and Email Disclosure Vulnerabilities

Grav is an extensible CMS Content Management System for personal blogs, small content publishing platforms and one-page product presentations. Grav suffers from a user enumeration and email disclosure vulnerability that can be exploited by attackers to enumerate users and disclose sensitive email...

CVE-2025-66307

This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at /admin/forgot leaks...

EUVD-2025-200103

Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure...

Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure

Grav v1.7.49.5 / Admin v1.10.49.1 – User Enumeration & Email Disclosure Summary A user enumeration and email disclosure vulnerability exists in Grav v1.7.49.5 with Admin plugin v1.10.49.1. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their...

GHSA-Q3QX-CP62-F6M7 Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure

Grav v1.7.49.5 / Admin v1.10.49.1 – User Enumeration & Email Disclosure Summary A user enumeration and email disclosure vulnerability exists in Grav v1.7.49.5 with Admin plugin v1.10.49.1. The "Forgot Password" functionality at /admin/forgot leaks information about valid usernames and their...