CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2026-31888 Shopware has user enumeration via distinct error codes on Store API login endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint POST /store-api/account/login returns different error codes depending on whether the submitted email address belongs to a registered customer CHECKOUTCUSTOMERAUTHBADCREDENTIALS or is unknown...

CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...

CVE-2025-11750 User Enumeration via Distinct Error Messages in langgenius/dify-web

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...

PT-2025-43031

Name of the Vulnerable Software and Affected Versions langgenius/dify-web version 1.6.0 Description The authentication process in the software reveals whether user accounts exist by providing different error messages depending on whether a username or email is registered. Attempting to log in or...

CVE-2025-56764

Trivision NC-227WF firmware 5.80 build 20141010 login mechanism reveals whether a username exists or not by returning different error messages "Unknown user" vs. "Wrong password", allowing an attacker to enumerate valid usernames...

GHSA-W82P-R9VW-4RG5 WSO2's Input Validation Management Service contains Observable Discrepancy when Multi-Attribute Login is enabled

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validateusername setting. This behavior allows malicious actor...

CVE-2025-1396

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validateusername setting. This behavior allows malicious actor...

CVE-2019-18986

Pimcore before 6.2.2 allow attackers to brute-force guess valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users...