EUVD-2026-35878

BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit...

CVE-2026-53674

CVE-2026-53674 affects BuddyPress 14.4.0. A regular expression injection in the activity mention resolver occurs when username compatibility mode is enabled, allowing an attacker to craft @mentions with regex metacharacters that pass esc_sql and are inserted into an unprepared REGEXP query on the...

CVE-2024-0391

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

CVE-2024-0391

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

CVE-2025-22234

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. Mitigation Mitigation for thi...

CVE-2025-22234

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

EUVD-2026-3787

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234

CVE-2025-22234 is associated with Spring Security’s timing-attack mitigation in DaoAuthenticationProvider. The described issue states that the fix applied in CVE-2025-22228 accidentally broke the mitigation, enabling an attacker to infer usernames or authentication behavior via response-time diff...

EUVD-2025-11012

Malicious code in bioql PyPI...

CVE-2025-24487

An unauthenticated attacker can infer the existence of usernames in the system by querying an API...

CVE-2025-24487

CVE-2025-24487 concerns Growatt Cloud Applications (Cloud portal). Multiple connected sources indicate an unauthenticated attacker can infer the existence of usernames by querying an API, implying an exposed endpoint that reveals user existence without requiring authentication. Publicly cited ref...

PT-2025-16414

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. Description An unauthenticated attacker can infer the existence of usernames in the system by querying an API. Recommendations At the moment, there is no information about a newer version that contains a...

Growatt Cloud Applications 安全漏洞

Growatt Cloud Applications is a monitoring platform from Growatt, a Chinese company. A security vulnerability exists in Growatt Cloud Applications version 3.6.0 and prior versions, which originates from an unauthenticated attacker being able to infer the presence of a username on the system...