CVE-2026-26744
Received Received - Intake

User Enumeration in FormaLMS 4.1.18 Password Recovery Function

Vulnerability report for CVE-2026-26744, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-19

Last updated on: 2026-02-26

Assigner: MITRE

Description

A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-19
Last Modified
2026-02-26
Generated
2026-07-06
AI Q&A
2026-02-20
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
formalms formalms to 4.1.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a user enumeration issue in FormaLMS version 4.1.18 and earlier. It occurs in the password recovery feature accessed via the /lostpwd endpoint. The application responds with different error messages depending on whether a username is valid or invalid. This difference allows an attacker who is not logged in to identify which usernames exist in the system by observing the response variations.

Impact Analysis

The vulnerability allows an unauthenticated attacker to discover valid usernames registered in the system. This information can be used to facilitate further attacks such as targeted phishing, brute force password attempts, or social engineering attacks, potentially compromising user accounts and system security.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart