Lucene search
+L

358 matches found

cve
cve
added 2 days ago10 views

CVE-2026-44753

CVE-2026-44753 affects SAP HANA Database (User Self Service) / Extended Application Services classic model. An unauthenticated attacker can send specially crafted requests to obtain distinguishable responses that enumerate valid user accounts and email addresses. Impact is described as low confid...

3.7CVSS6.1AI score0.0022EPSS
Exploits0References2
euvd
euvd
added 2 days ago8 views

EUVD-2026-43588

SAP HANA Database user self service tools allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts,...

3.7CVSS6.1AI score0.0022EPSS
Exploits0References2
nvd
nvd
added 2026/07/09 5:17 p.m.9 views

CVE-2026-59218

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS0.0024EPSS
Exploits0References4
cvelist
cvelist
added 2026/07/09 3:53 p.m.33 views

CVE-2026-59218 Open WebUI: Account enumeration via observable login timing discrepancy

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS0.0024EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/07/09 3:53 p.m.7 views

CVE-2026-59218

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References5Affected Software1
euvd
euvd
added 2026/07/09 3:53 p.m.9 views

EUVD-2026-42617

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References4
cve
cve
added 2026/07/09 3:53 p.m.9 views

CVE-2026-59218

Open WebUI prior to version 0.10.0 exposed an account enumeration flaw in the /api/v1/auths/signin endpoint. The login flow looked up users by email and only performed bcrypt verification when a credential existed, causing registered accounts to respond more slowly than missing email attempts. Th...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References4Affected Software1
osv
osv
added 2026/07/09 3:53 p.m.3 views

CVE-2026-59218 Open WebUI: Account enumeration via observable login timing discrepancy

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than...

5.3CVSS6.1AI score0.0024EPSS
Exploits0References6
cve
cve
added 2026/07/09 12:0 a.m.17 views

CVE-2026-51926

The vulnerability (CVE-2026-51926) affects docuForm FSM Client v11.11c. The login.php authentication mechanism enables user enumeration: an attacker can distinguish valid from invalid usernames by differences in server responses, enabling identification of existing accounts. This information coul...

7.5CVSS6AI score0.0036EPSS
Exploits0References2
euvd
euvd
added 2026/07/06 8:43 p.m.6 views

EUVD-2026-41942

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS6AI score0.0025EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/07/06 8:43 p.m.8 views

CVE-2026-59712 Leantime - JSON-RPC API Broken Access Control via users.getUser

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS6AI score0.0025EPSS
Exploits0References4
cve
cve
added 2026/07/06 8:43 p.m.19 views

CVE-2026-59712

According to the connected NVD records, CVE-2026-59712 affects Leantime’s JSON-RPC API via the Users::getUser method. The vulnerability arises from missing authorization checks, enabling authenticated users to call users.getUser with arbitrary user IDs and enumerate accounts. The outcome is expos...

8.6CVSS6AI score0.0025EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.14 views

PT-2026-56014

Name of the Vulnerable Software and Affected Versions Leantime affected versions not specified Description The Users::getUser function within the JSON-RPC API does not implement sufficient authorization checks. This allows authenticated users to retrieve complete user credential records by...

8.6CVSS6.2AI score0.0025EPSS
Exploits0References6
nvd
nvd
added 2026/06/26 8:17 p.m.8 views

CVE-2026-44731

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user account...

4.3CVSS0.00186EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/19 5:52 p.m.20 views

CVE-2023-54357 Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration

Joomla combooking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=combooking,...

8.7CVSS0.00346EPSS
Exploits0References4
cve
cve
added 2026/06/19 5:52 p.m.18 views

CVE-2023-54357

CVE-2023-54357 affects Joomla com_booking 2.4.9. The vulnerability is an information disclosure in the getUserData function of the customer controller, permitting unauthenticated attackers to enumerate user accounts by brute-forcing the id parameter via requests like index.php?option=com_booking&...

8.7CVSS5.8AI score0.00346EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/06/05 7:29 p.m.10 views

CVE-2026-24468

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.11.0 and prior to version 2.0.13, the /api/reset endpoint behaves differently depending on whether the supplied username exists in the syste...

5.3CVSS5.5AI score0.00294EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/29 7:52 p.m.12 views

CVE-2026-45294 FreeScout: User Account Enumeration via Password Reset Response Differentiation

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerat...

5.3CVSS5.8AI score0.0021EPSS
Exploits0References1
cve
cve
added 2026/05/29 7:52 p.m.23 views

CVE-2026-45294

FreeScout (PHP/Laravel) before version 1.8.219 is vulnerable. The password reset endpoint returns visually distinct responses based on whether the submitted email belongs to an existing user, enabling unauthenticated enumeration of valid helpdesk agent email addresses. Root cause: inadequate obfu...

5.3CVSS5.8AI score0.0021EPSS
Exploits0References1
osv
osv
added 2026/05/29 7:52 p.m.3 views

CVE-2026-45294 FreeScout: User Account Enumeration via Password Reset Response Differentiation

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerat...

5.3CVSS6AI score0.0021EPSS
Exploits0References3
Rows per page
Query Builder