{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26744", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-02-24T15:53:13.623Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-02-19T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-19T21:20:57.987Z"}, "descriptions": [{"lang": "en", "value": "A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/formalms/formalms.git"}, {"url": "https://github.com/lorenzobruno7/CVE-2026-26744"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-204", "lang": "en", "description": "CWE-204 Observable Response Discrepancy"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T15:51:54.616929Z", "id": "CVE-2026-26744", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:53:13.623Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26744", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T15:51:54.616929Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204 Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:52:59.882Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/formalms/formalms.git"}, {"url": "https://github.com/lorenzobruno7/CVE-2026-26744"}], "descriptions": [{"lang": "en", "value": "A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-19T21:20:57.987Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26744", "state": "PUBLISHED", "dateUpdated": "2026-02-24T15:53:13.623Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-19T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:formalms:formalms:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0D5CBAB-4A63-4E23-8F70-561875E39DDF", "versionEndIncluding": "4.1.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy."}, {"lang": "es", "value": "Hay una vulnerabilidad de enumeraci\u00f3n de usuarios en FormaLMS 4.1.18 y versiones anteriores en la funcionalidad de recuperaci\u00f3n de contrase\u00f1a accesible a trav\u00e9s del endpoint /lostpwd. La aplicaci\u00f3n devuelve mensajes de error diferentes para nombres de usuario v\u00e1lidos e inv\u00e1lidos, permitiendo a un atacante no autenticado determinar qu\u00e9 nombres de usuario est\u00e1n registrados en el sistema a trav\u00e9s de la discrepancia observable en la respuesta."}], "id": "CVE-2026-26744", "lastModified": "2026-02-26T02:48:23.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T22:16:47.627", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/formalms/formalms.git"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/lorenzobruno7/CVE-2026-26744"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.18]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "formalms", "vendor": "formalms"}], "analysis": {"en": {"generated_at": "2026-04-18T11:53:43.962252+00:00", "value": {"mitigation_remediation": ["Upgrade FormaLMS to a version that removes the distinct error responses or applies the vendor patch, thereby eliminating the CWE\u2011204 Information Exposure flaw.", "If an upgrade is not immediately possible, modify the password recovery flow to return a generic \"If this account exists, an email has been sent\" message for all inputs, thus mitigating the CWE\u2011204 weakness.", "As a temporary measure, restrict access to /lostpwd by applying web\u2011application firewall rules or rate limiting to slow enumeration attempts."], "summary": {"action": "Assess", "impact": "User Enumeration via Password Recovery"}, "threat_synthesis": {"affected_systems": "This issue affects FormaLMS versions 4.1.18 and earlier. The CVE source indicates the application is the official FormaLMS distribution; the affected versions are all releases up to but not including 4.1.19.", "description_and_impact": "A user enumeration vulnerability has been identified in the password recovery functionality of FormaLMS. When an attacker accesses the /lostpwd endpoint, the application returns distinct error messages for valid and invalid usernames. This observable difference allows an unauthenticated attacker to infer whether a username exists in the system, potentially facilitating targeted phishing or credential stuffing attacks. This vulnerability is a CWE\u2011204 Information Exposure weakness, where sensitive information about the existence of user accounts is disclosed through differing error messages.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity vulnerability. EPSS is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Attackers can enumerate user accounts remotely over HTTP without authentication, which may lead to credential compromise or facilitate social\u2011engineering attacks. No easy bypass or privilege escalation is reported, but the information gain can be valuable in broader attack campaigns."}}}}, "created": "2026-02-20T10:11:32.536701+00:00", "title": "Unauthenticated User Enumeration via /lostpwd in FormaLMS Password Recovery", "updated": "2026-04-18T12:00:05.888195+00:00", "vendors": ["formalms", "formalms$PRODUCT$formalms"]}