ReportizFlow
Filtered by vendor
Subscriptions
Total
150 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-5485 | 2026-04-15 | 8.6 High | ||
| User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences. | ||||
| CVE-2025-2910 | 2026-04-15 | N/A | ||
| User enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages. | ||||
| CVE-2025-30280 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix Runtime V8 (All versions < V8.18.35), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application. | ||||
| CVE-2025-0693 | 2026-04-15 | 5.3 Medium | ||
| Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account. | ||||
| CVE-2024-12663 | 1 Funnyzpc | 1 Mee-admin | 2026-04-15 | 3.7 Low |
| A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2025-34155 | 1 Tibbo | 1 Aggregate | 2026-04-15 | N/A |
| Tibbo AggreGate Network Manager < 6.40.05 contains an observable response discrepancy in its login functionality. Authentication failure messages differ based on whether a supplied username exists or not, allowing an unauthenticated remote attacker to infer valid account identifiers. This can facilitate user enumeration and increase the likelihood of targeted brute-force or credential-stuffing attacks. | ||||
| CVE-2024-40627 | 1 Busykoala | 1 Fastapi-opa | 2026-04-15 | 5.8 Medium |
| Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to the application. `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating it against any policy. If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing (such as to indicate whether an entity is writable on a system level), an unauthenticated attacker could discover which entities exist within an application. This issue has been addressed in release version 2.0.1. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-49069 | 1 Siemens | 1 Mendix | 2026-04-15 | 5.3 Medium |
| A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.17.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.11 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.6 (All versions < V10.6.19 only if the basic authentication mechanism is used by the application), Mendix Runtime V8 (All versions < V8.18.33 only if the basic authentication mechanism is used by the application), Mendix Runtime V9 (All versions < V9.24.31 only if the basic authentication mechanism is used by the application). The authentication mechanism of affected applications contains an observable response discrepancy vulnerability when validating usernames. This could allow unauthenticated remote attackers to distinguish between valid and invalid usernames. | ||||
| CVE-2024-39211 | 1 Kaiten | 1 Kaiten | 2026-04-15 | 5.3 Medium |
| Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists. | ||||
| CVE-2025-25236 | 1 Omnissa | 1 Workspace One | 2026-04-15 | 5.3 Medium |
| Omnissa Workspace ONE UEM contains an observable response discrepancy vulnerability. A malicious actor may be able to enumerate sensitive information such as tenant ID and user accounts that could facilitate brute-force, password-spraying or credential-stuffing attacks. | ||||
| CVE-2025-23214 | 2026-04-15 | N/A | ||
| Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. By monitoring the error code returned in the login, it is possible to figure out whether a user exist or not in the database. Patched in 0.17.7. | ||||
| CVE-2025-62181 | 1 Pegasystems | 1 Pega Infinity | 2026-04-15 | 5.3 Medium |
| Pega Platform versions 7.1.0 through Infinity 25.1.0 are affected by a User Enumeration. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. This only applies to deprecated basic-authentication feature and other more secure authentication mechanisms are recommended. A fix is being provided in the 24.1.4, 24.2.4, and 25.1.1 patch releases. Please note: Basic credentials authentication service type is deprecated started in 24.2 version: https://docs.pega.com/bundle/platform/page/platform/release-notes/security/whats-new-security-242.html. | ||||
| CVE-2025-46390 | 2026-04-15 | 7.5 High | ||
| CWE-204: Observable Response Discrepancy | ||||
| CVE-2025-24342 | 2026-04-15 | 5.3 Medium | ||
| A vulnerability in the login functionality of the web application of ctrlX OS allows a remote unauthenticated attacker to guess valid usernames via multiple crafted HTTP requests. | ||||
| CVE-2025-9824 | 1 Mautic | 1 Mautic | 2026-04-15 | 5.9 Medium |
| ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after which an attacker could attempt brute force attacks. PatchesThis vulnerability has been patched, implementing a timing-safe form login authenticator that ensures consistent response times regardless of whether a user exists or not. Technical DetailsThe vulnerability was caused by different response times when: * A valid username was provided (password hashing occurred) * An invalid username was provided (no password hashing occurred) The fix introduces a TimingSafeFormLoginAuthenticator that performs a dummy password hash verification even for non-existent users, ensuring consistent timing. WorkaroundsNo workarounds are available. Users should upgrade to the patched version. References * https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account | ||||
| CVE-2024-39912 | 2026-04-15 | 5.3 Medium | ||
| web-auth/webauthn-lib is an open source set of PHP libraries and a Symfony bundle to allow developers to integrate that authentication mechanism into their web applications. The ProfileBasedRequestOptionsBuilder method returns allowedCredentials without any credentials if no username was found. When WebAuthn is used as the first or only authentication method, an attacker can enumerate usernames based on the absence of the `allowedCredentials` property in the assertion options response. This allows enumeration of valid or invalid usernames. By knowing which usernames are valid, attackers can focus their efforts on a smaller set of potential targets, increasing the efficiency and likelihood of successful attacks. This issue has been addressed in version 4.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-48015 | 2026-04-15 | 3.7 Low | ||
| Failed login response could be different depending on whether the username was local or central. | ||||
| CVE-2025-42903 | 1 Sap | 1 Financial Service Claims Management | 2026-04-15 | 4.3 Medium |
| A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability. | ||||
| CVE-2021-47717 | 2026-04-15 | N/A | ||
| IntelliChoice eFORCE Software Suite 2.5.9 contains a username enumeration vulnerability that allows attackers to enumerate valid users by exploiting the 'ctl00$MainContent$UserName' POST parameter. Attackers can send requests with valid usernames to retrieve user information. | ||||
| CVE-2026-4113 | 1 Sonicwall | 1 Sma1000 | 2026-04-14 | 7.2 High |
| An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials. | ||||