CVE-2026-26744
Received Received - Intake
User Enumeration in FormaLMS 4.1.18 Password Recovery Function

Publication date: 2026-02-19

Last updated on: 2026-02-26

Assigner: MITRE

Description
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26744
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
formalms formalms to 4.1.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a user enumeration issue in FormaLMS version 4.1.18 and earlier. It occurs in the password recovery feature accessed via the /lostpwd endpoint. The application responds with different error messages depending on whether a username is valid or invalid. This difference allows an attacker who is not logged in to identify which usernames exist in the system by observing the response variations.

Impact Analysis

The vulnerability allows an unauthenticated attacker to discover valid usernames registered in the system. This information can be used to facilitate further attacks such as targeted phishing, brute force password attempts, or social engineering attacks, potentially compromising user accounts and system security.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart