CVE-2026-26744
Last modified
CVE-2026-26744 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Formalms | Formalms | <= 4.1.18 |
References
- https://github.com/lorenzobruno7/CVE-2026-26744Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-26744?
How severe is CVE-2026-26744?
How do I fix CVE-2026-26744?
Are you affected by CVE-2026-26744?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST