CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...

PT-2025-40866

Name of the Vulnerable Software and Affected Versions affected versions not specified Description The application reveals whether a username exists during failed login attempts by returning different error messages for incorrect passwords versus non-existent usernames. This enables an attacker to...

Denial Of Service (DoS)

github.com/cri-o/cri-o is vulnerable to Denial Of Service DoS. The vulnerability is due to improper user creation handling due to reading the entire /etc/passwd file into memory when securityContext.runAsUser specifies a non-existent user, leading to excessive memory consumption and potential...

CRI-O has Potential High Memory Consumption from File Read

There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a hi...

GHSA-8F93-J3FX-72F3 CRI-O has Potential High Memory Consumption from File Read

There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a hi...

CVE-2025-4437 Cri-o: large /etc/passwd file may lead to denial of service

There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a hi...

PT-2025-34042 · Cri-O · Cri-O

Name of the Vulnerable Software and Affected Versions: CRI-O affected versions not specified Description: CRI-O is susceptible to a denial-of-service issue. When a container is launched with securityContext.runAsUser set to a non-existent user, CRI-O attempts to create the user by reading the...

CVE-2023-31286

An issue was discovered in Serenity Serene and StartSharp before 6.7.0. When a password reset request occurs, the server response leaks the existence of users. If one tries to reset a password of a non-existent user, an error message indicates that this user does not exist...

CVE-2024-36469

Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one...

UBUNTU-CVE-2024-36469

Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one...

SUSE CVE-2025-27112

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

PT-2024-40248 · Unknown · Silverstripe

Name of the Vulnerable Software and Affected Versions: Silverstripe affected versions not specified Description: The issue concerns a user ID enumeration vulnerability in brute force error messages. Specifically, the system previously handled login attempts for non-existent and existing users...

GHSA-WXCP-F2C8-X6XV Observable Discrepancy in Apache Tomcat

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note...

DEBIAN-CVE-2019-12471

Wikimedia MediaWiki 1.30.0 through 1.32.1 has XSS. Loading user JavaScript from a non-existent account allows anyone to create the account, and perform XSS on users loading that script. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6...

CVE-2016-6210

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provid...

UBUNTU-CVE-2016-2313

authlogin.php in Cacti before 0.8.8g allows remote authenticated users who use web authentication to bypass intended access restrictions by logging in as a user not in the cacti database...

DEBIAN-CVE-2014-2855

The checksecret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service infinite loop and CPU consumption via a user name which does not exist in the secrets file...

CVE-2006-6421

Cross-site scripting XSS vulnerability in the private message box implementation privmsg.php in phpBB 2.0.x allows remote authenticated users to inject arbitrary web script or HTML via the "Message body" field in a message to a non-existent user...