ReportizFlow
Filtered by vendor
Subscriptions
Total
749 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-46804 | 1 Gnu | 1 Screen | 2026-04-15 | 3.3 Low |
| A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0. | ||||
| CVE-2025-13912 | 1 Wolfssl | 1 Wolfssl | 2026-04-15 | N/A |
| Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | ||||
| CVE-2024-30171 | 1 Redhat | 6 Amq Broker, Apache Camel Spring Boot, Camel Quarkus and 3 more | 2026-04-15 | 5.9 Medium |
| An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. | ||||
| CVE-2025-6056 | 2026-04-15 | N/A | ||
| Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames. | ||||
| CVE-2024-54002 | 1 Dependencytrack | 1 Dependency-track | 2026-04-15 | 5.3 Medium |
| Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2. | ||||
| CVE-2024-41880 | 1 Veilid | 1 Veilid | 2026-04-15 | 5.3 Medium |
| In veilid-core in Veilid before 0.3.4, the protocol's ping function can be misused in a way that decreases the effectiveness of safety and private routes. | ||||
| CVE-2024-12663 | 1 Funnyzpc | 1 Mee-admin | 2026-04-15 | 3.7 Low |
| A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-37482 | 2026-04-15 | 5.3 Medium | ||
| The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames. | ||||
| CVE-2025-41252 | 1 Vmware | 3 Cloud Foundation, Nsx, Nsx-t | 2026-04-15 | 7.5 High |
| Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access attempts. Impact: Username enumeration → facilitates unauthorized access. Attack Vector: Remote, unauthenticated. Severity: Important. CVSSv3: 7.5 (High). Acknowledgments: Reported by the National Security Agency. Affected Products: * VMware NSX 9.x.x.x, 4.2.x, 4.1.x, 4.0.x * NSX-T 3.x * VMware Cloud Foundation (with NSX) 5.x, 4.5.x Fixed Versions: * NSX 9.0.1.0; 4.2.2.2/4.2.3.1 http://4.2.2.2/4.2.3.1 ; 4.1.2.7; NSX-T 3.2.4.3; CCF async patch (KB88287). Workarounds: None. | ||||
| CVE-2023-30312 | 2026-04-15 | 7.3 High | ||
| An issue discovered in OpenWrt 18.06, 19.07, 21.02, 22.03, and beyond allows off-path attackers to hijack TCP sessions, which could lead to a denial of service, impersonating the client to the server (e.g., for access to files over FTP), and impersonating the server to the client (e.g., to deliver false information from a finance website). This occurs because nf_conntrack_tcp_no_window_check is true by default. | ||||
| CVE-2025-47872 | 1 Eg4 Electronics | 7 Eg4 12000xp, Eg4 12kpv, Eg4 18kpv and 4 more | 2026-04-15 | 5.8 Medium |
| The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns. | ||||
| CVE-2022-50800 | 1 H3c | 1 Ssl Vpn | 2026-04-15 | 7.5 High |
| H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. | ||||
| CVE-2025-1468 | 2026-04-15 | 7.5 High | ||
| An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA Server with the non-default Basic128Rsa15 security policy. | ||||
| CVE-2025-6386 | 1 Parisneo | 1 Lollms | 2026-04-15 | N/A |
| The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters. | ||||
| CVE-2025-67806 | 2 Sage, Sagedpw | 2 Dpw, Sage Dpw | 2026-04-09 | 3.7 Low |
| The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions. | ||||
| CVE-2026-26895 | 2 Enhancesoft, Osticket | 2 Osticket, Osticket | 2026-04-08 | 5.3 Medium |
| User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform. | ||||
| CVE-2024-11297 | 1 Miniorange | 1 Page Restriction | 2026-04-08 | 5.3 Medium |
| The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | ||||
| CVE-2023-53943 | 1 Glpi-project | 1 Glpi | 2026-04-07 | 5.3 Medium |
| GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | ||||
| CVE-2019-14360 | 1 Hyundai | 2 Kasse Hk-1000, Kasse Hk-1000 Firmware | 2026-04-03 | 4.6 Medium |
| On Hyundai Pay Kasse HK-1000 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data. | ||||
| CVE-2024-54476 | 1 Apple | 1 Macos | 2026-04-02 | 5.5 Medium |
| The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An app may be able to access user-sensitive data. | ||||