Total
726 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59716 | 1 Owncloud | 2 Guests, Owncloud | 2026-01-07 | 5.3 Medium |
| ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user. | ||||
| CVE-2024-55374 | 1 Redcap | 1 Redcap | 2026-01-06 | 5.3 Medium |
| REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. | ||||
| CVE-2026-21484 | 1 Mintplexlabs | 1 Anything-llm | 2026-01-05 | 5.3 Medium |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue. | ||||
| CVE-2025-65185 | 1 Entrinsik | 1 Informer | 2026-01-05 | 2.8 Low |
| There is a username enumeration via local user login in Entrinsik Informer v5.10.1 which allows malicious users to enumerate users by entering an OTP code and new password then reviewing application responses. | ||||
| CVE-2022-50800 | 1 H3c | 1 Ssl Vpn | 2026-01-05 | 7.5 High |
| H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST parameter. Attackers can submit different usernames to the login_submit.cgi endpoint and analyze response messages to distinguish between existing and non-existing accounts. | ||||
| CVE-2025-63094 | 2 Openxiangshan, Xiangshan | 2 Xiangshan, Xiangshan | 2026-01-02 | 7.5 High |
| XiangShan Nanhu V2 and XiangShan Kunmighu V3 were discovered to use speculative execution and indirect branch prediction, allowing attackers to access sensitive information via side-channel analysis of the data cache. | ||||
| CVE-2023-53943 | 1 Glpi-project | 1 Glpi | 2025-12-31 | 5.3 Medium |
| GLPI 9.5.7 contains a username enumeration vulnerability in the lost password recovery mechanism that allows attackers to validate email addresses. Attackers can systematically test email addresses by submitting requests to the password reset endpoint and analyzing response differences to identify valid user accounts. | ||||
| CVE-2025-39665 | 1 Nagvis | 1 Nagvis | 2025-12-19 | 5.3 Medium |
| User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames. | ||||
| CVE-2025-43739 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-19 | 4.3 Medium |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization. | ||||
| CVE-2025-68164 | 1 Jetbrains | 1 Teamcity | 2025-12-18 | 2.7 Low |
| In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test | ||||
| CVE-2024-10929 | 1 Arm | 8 Cortex-a57, Cortex-a57 Firmware, Cortex-a72 and 5 more | 2025-12-18 | 5.1 Medium |
| In certain circumstances, an issue in Arm Cortex-A57, Cortex-A72 (revisions before r1p0), Cortex-A73 and Cortex-A75 may allow an adversary to gain a weak form of control over the victim's branch history. | ||||
| CVE-2024-7881 | 1 Arm | 18 C1-premium, C1-premium Firmware, C1-pro and 15 more | 2025-12-18 | 5.1 Medium |
| An unprivileged context can trigger a data memory-dependent prefetch engine to fetch the contents of a privileged location and consume those contents as an address that is also dereferenced. | ||||
| CVE-2020-14145 | 3 Netapp, Openbsd, Redhat | 11 Active Iq Unified Manager, Aff A700s, Aff A700s Firmware and 8 more | 2025-12-18 | 5.9 Medium |
| The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. | ||||
| CVE-2025-43751 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-18 | 5.3 Medium |
| User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page. | ||||
| CVE-2020-36888 | 1 Spinetix | 1 Fusion Digital Signage | 2025-12-17 | 5.3 Medium |
| SpinetiX Fusion Digital Signage 3.4.8 contains a username enumeration vulnerability in its login script that allows attackers to identify valid user accounts. Attackers can send crafted login requests with different usernames to distinguish between existing and non-existing accounts by analyzing the server's error responses. | ||||
| CVE-2025-43786 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-16 | 5.3 Medium |
| Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit the time response. | ||||
| CVE-2025-43743 | 1 Liferay | 4 Digital Experience Platform, Dxp, Liferay Portal and 1 more | 2025-12-15 | 4.3 Medium |
| Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. | ||||
| CVE-2025-13912 | 1 Wolfssl | 1 Wolfssl | 2025-12-12 | N/A |
| Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | ||||
| CVE-2025-59702 | 1 Entrust | 11 Nshield 5c, Nshield 5c Firmware, Nshield Connect Xc and 8 more | 2025-12-08 | 7.2 High |
| Entrust nShield Connect XC, nShield 5c, and nShield HSMi through 13.6.11, or 13.7, allow a physically proximate attacker with elevated privileges to falsify tamper events by accessing internal components. | ||||
| CVE-2025-12888 | 1 Wolfssl | 1 Wolfssl | 2025-12-08 | 7.5 High |
| Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X25519, which is now turned on as the default for Xtensa. | ||||