CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS 5.3 v3·EPSS -·No fix yet

    Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.

    Published 2026-06-30

  • CVSS 5.3 v3·EPSS -·No fix yet

    Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)

    Published 2026-06-30

  • CVSS 6.5 v3·EPSS -·No fix yet

    Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

    Published 2026-06-30

  • CVSS 6.5 v3·EPSS -·No fix yet

    Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

    Published 2026-06-30

  • CVSS 6.5 v3·EPSS -·No fix yet

    Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

    Published 2026-06-30

  • CVSS 6.9 v4·EPSS 0.3%·No fix yet

    NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.

    Published 2026-06-23

  • CVSS 5.3 v3·EPSS 0.2%·No fix yet

    Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.

    Published 2026-06-21

  • CVSS 4.3 v3·EPSS 0.2%·No fix yet

    Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.

    Published 2026-06-20

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

    Published 2026-06-19

  • CVSS 6.5 v3·EPSS 0.2%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 6.5 v3·EPSS 0.2%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 5.3 v3·EPSS 0.2%·No fix yet

    FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.

    Published 2026-05-29

  • CVSS 5.3 v3·EPSS 0.2%·No fix yet

    TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18.

    Published 2026-05-28

  • CVSS 3.7 v3·EPSS 0.3%·No fix yet

    A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2026-05-10

  • CVSS 9.0 v3·EPSS 0.4%·Fix available

    RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.

    Published 2026-05-08

  • CVSS 4.3 v3·EPSS 0.3%·Fix available

    Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1.

    Published 2026-05-07

  • CVSS 4.3 v3·EPSS 0.3%·No fix yet

    In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.

    Published 2026-04-16

  • CVSS 5.3 v3·EPSS 0.4%·Fix available

    User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.

    Published 2026-04-02

  • CVSS 3.7 v3·EPSS 0.3%·No fix yet

    The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.

    Published 2026-04-01

  • CVSS 5.9 v3·EPSS 0.3%·Fix available

    wolfSSL 5.8.4 on RISC-V RV32I architectures lacks a constant-time software implementation for 64-bit multiplication. The compiler-inserted __muldi3 subroutine executes in variable time based on operand values. This affects multiple SP math functions (sp_256_mul_9, sp_256_sqr_9, etc.), leading to a timing side-channel that may expose sensitive cryptographic data.

    Published 2026-03-31

  • CVSS 4.7 v3·EPSS 0.1%·Fix available

    In wolfSSL 5.8.4, constant-time masking logic in sp_256_get_entry_256_9 is optimized into conditional branches (bnez) by GCC when targeting RISC-V RV32I with -O3. This transformation breaks the side-channel resistance of ECC scalar multiplication, potentially allowing a local attacker to recover secret keys via timing analysis.

    Published 2026-03-31

  • CVSS 5.3 v3·EPSS 0.3%·Fix available

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.

    Published 2026-03-24

  • CVSS 5.3 v3·EPSS 0.2%·Fix available

    Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, unauthenticated users can determine whether a specific user is a member of a private group by observing changes in directory results when using the `exclude_groups` parameter. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. As a workaround, disable public access to the user directory via Admin → Settings → hide user profiles from public.

    Published 2026-03-21

  • CVSS 6.5 v3·EPSS 0.1%·Fix available

    Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.

    Published 2026-03-16

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588

    Published 2026-03-16

  • CVSS 3.7 v3·EPSS 0.3%·No fix yet

    A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    Published 2026-03-12

  • CVSS 3.3 v3·EPSS 0.1%·Fix available

    A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.

    Published 2026-03-12

  • CVSS 7.5 v3·EPSS 0.4%·Fix available

    go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key after applying the upgrade, which can be done by removing the file `<datadir>/geth/nodekey` before starting Geth.

    Published 2026-02-19

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Directory.Exists(), allowing the attacker to determine whether arbitrary directories exist on the server.

    Published 2026-02-19

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to File.Exists(), allowing the attacker to determine whether arbitrary files exist on the server.

    Published 2026-02-19

  • CVSS 9.8 v3·EPSS 0.4%·No fix yet

    OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.

    Published 2026-02-12

  • CVSS 5.3 v3·EPSS 0.3%·Fix available

    Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.

    Published 2026-02-12

  • CVSS 4.3 v3·EPSS 0.3%·Fix available

    WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.

    Published 2026-02-07

  • CVSS 5.3 v3·EPSS 0.3%·Fix available

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application's response during the password reset process. This issue has been patched in version 0.28.5.0.

    Published 2026-02-03

  • CVSS 5.3 v3·EPSS 0.4%·Fix available

    File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch

    Published 2026-01-19

  • CVSS 9.8 v3·EPSS 0.5%·Fix available

    RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4.

    Published 2026-01-15

  • CVSS 5.3 v3·EPSS 0.7%·Fix available

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.

    Published 2026-01-03

  • CVSS 5.3 v3·EPSS 0.3%·No fix yet

    REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.

    Published 2026-01-02

  • CVSS 7.5 v3·EPSS 0.3%·No fix yet

    H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts.

    Published 2025-12-30

  • CVSS -·EPSS 0.1%·Fix available

    Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks.

    Published 2025-12-30

  • CVSS 5.3 v3·EPSS 0.3%·No fix yet

    GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts.

    Published 2025-12-18

  • CVSS 2.8 v3·EPSS 0.1%·No fix yet

    There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses.

    Published 2025-12-17

  • CVSS 2.7 v3·EPSS 0.2%·Fix available

    In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test

    Published 2025-12-16

  • CVSS 5.3 v3·EPSS 0.3%·No fix yet

    SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses.

    Published 2025-12-10

  • CVSS 7.5 v3·EPSS 0.5%·No fix yet

    XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache.

    Published 2025-12-10

  • CVSS 5.3 v3·EPSS 0.2%·Fix available

    User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames.

    Published 2025-12-03

  • CVSS 7.5 v3·EPSS 0.3%·Fix available

    Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa.

    Published 2025-12-03

  • CVSS 7.2 v3·EPSS 0.3%·Fix available

    Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components.

    Published 2025-12-02

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder

    Published 2025-11-25

  • CVSS 5.3 v3·EPSS 0.3%·Fix available

    An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a remote attacker to obtain sensitive information via the login error messages

    Published 2025-11-24

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.