CVE-2026-26744 - Vulnerability Details

- Unauthenticated User Enumeration via /lostpwd in FormaLMS Password Recovery

Description

A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.

Published: 2026-02-19

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A user enumeration vulnerability has been identified in the password recovery functionality of FormaLMS. When an attacker accesses the /lostpwd endpoint, the application returns distinct error messages for valid and invalid usernames. This observable difference allows an unauthenticated attacker to infer whether a username exists in the system, potentially facilitating targeted phishing or credential stuffing attacks. This vulnerability is a CWE‑204 Information Exposure weakness, where sensitive information about the existence of user accounts is disclosed through differing error messages.

Affected Systems

This issue affects FormaLMS versions 4.1.18 and earlier. The CVE source indicates the application is the official FormaLMS distribution; the affected versions are all releases up to but not including 4.1.19.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. EPSS is less than 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Attackers can enumerate user accounts remotely over HTTP without authentication, which may lead to credential compromise or facilitate social‑engineering attacks. No easy bypass or privilege escalation is reported, but the information gain can be valuable in broader attack campaigns.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:formalms:formalms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Formalms

95%

Version	Status	Scheme	Platform
`[0,4.1.18]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FormaLMS to a version that removes the distinct error responses or applies the vendor patch, thereby eliminating the CWE‑204 Information Exposure flaw.
If an upgrade is not immediately possible, modify the password recovery flow to return a generic "If this account exists, an email has been sent" message for all inputs, thus mitigating the CWE‑204 weakness.
As a temporary measure, restrict access to /lostpwd by applying web‑application firewall rules or rate limiting to slow enumeration attempts.

Generated by OpenCVE AI on April 18, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/formalms/formalms.git
https://github.com/lorenzobruno7/CVE-2026-26744

History

Sat, 18 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated User Enumeration via /lostpwd in FormaLMS Password Recovery

Thu, 26 Feb 2026 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:formalms:formalms::::::::

Tue, 24 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-204
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 20 Feb 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Formalms Formalms formalms
Vendors & Products		Formalms Formalms formalms

Thu, 19 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
References		https://github.com/formalms/formalms.git https://github.com/lorenzobruno7/CVE-2026-26744

Subscriptions

Formalms Formalms

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-19T00:00:00.000Z

Updated: 2026-02-24T15:53:13.623Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26744

Vulnrichment

Updated: 2026-02-24T15:52:59.882Z

NVD

Status : Analyzed

Published: 2026-02-19T22:16:47.627

Modified: 2026-02-26T02:48:23.430

Link: CVE-2026-26744

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses

CWE-204

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object