CWE-203
Observable Discrepancy
Description
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-189
CVEs mapped to this weakness (224)
page 6 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33429 | 0.00 | — | 0.00 | Mar 24, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is… | |||
| CVE-2026-28490 | 0.00 | — | 0.00 | Mar 16, 2026 | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management… | |||
| CVE-2026-21386 | 0.00 | — | 0.00 | Mar 16, 2026 | Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error… | |||
| CVE-2026-4040 | 0.00 | — | 0.00 | Mar 12, 2026 | A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to… | |||
| CVE-2026-26315 | 0.00 | — | 0.00 | Feb 19, 2026 | go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0… | |||
| CVE-2026-26185 | 0.00 | — | 0.00 | Feb 12, 2026 | Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately… | |||
| CVE-2026-25509 | 0.00 | — | 0.00 | Feb 3, 2026 | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can… | |||
| CVE-2026-23849 | 0.00 | — | 0.00 | Jan 19, 2026 | File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid… | |||
| CVE-2026-23519 | 0.00 | — | 0.01 | Jan 15, 2026 | RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly… | |||
| CVE-2026-23511 | 0.00 | — | 0.00 | Jan 15, 2026 | ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating… | |||
| CVE-2025-13912 | Low | 0.00 | — | 0.00 | Dec 11, 2025 | Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks. | ||
| CVE-2025-64749 | 0.00 | — | 0.00 | Nov 13, 2025 | Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for… | |||
| CVE-2025-1396 | — | 0.00 | — | 0.00 | Sep 26, 2025 | A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior… | ||
| CVE-2025-43786 | 0.00 | — | 0.00 | Sep 9, 2025 | Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the… | |||
| CVE-2025-51586 | 0.00 | — | 0.01 | Sep 8, 2025 | An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature. | |||
| CVE-2025-43751 | 0.00 | — | 0.00 | Aug 22, 2025 | User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA… | |||
| CVE-2025-43743 | 0.00 | — | 0.00 | Aug 19, 2025 | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view… | |||
| CVE-2025-43739 | 0.00 | — | 0.00 | Aug 19, 2025 | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the… | |||
| CVE-2025-54999 | 0.00 | — | 0.00 | Aug 9, 2025 | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between… | |||
| CVE-2025-6011 | 0.00 | — | 0.00 | Aug 1, 2025 | A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition… |
- CVE-2026-33429Mar 24, 2026risk 0.00cvss —epss 0.00
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is…
- CVE-2026-28490Mar 16, 2026risk 0.00cvss —epss 0.00
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management…
- CVE-2026-21386Mar 16, 2026risk 0.00cvss —epss 0.00
Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error…
- CVE-2026-4040Mar 12, 2026risk 0.00cvss —epss 0.00
A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to…
- CVE-2026-26315Feb 19, 2026risk 0.00cvss —epss 0.00
go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0…
- CVE-2026-26185Feb 12, 2026risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately…
- CVE-2026-25509Feb 3, 2026risk 0.00cvss —epss 0.00
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can…
- CVE-2026-23849Jan 19, 2026risk 0.00cvss —epss 0.00
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid…
- CVE-2026-23519Jan 15, 2026risk 0.00cvss —epss 0.01
RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly…
- CVE-2026-23511Jan 15, 2026risk 0.00cvss —epss 0.00
ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating…
- risk 0.00cvss —epss 0.00
Multiple constant-time implementations in wolfSSL before version 5.8.4 may be transformed into non-constant-time binary by LLVM optimizations, which can potentially result in observable timing discrepancies and lead to information disclosure through timing side-channel attacks.
- CVE-2025-64749Nov 13, 2025risk 0.00cvss —epss 0.00
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for…
- CVE-2025-1396Sep 26, 2025risk 0.00cvss —epss 0.00
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior…
- CVE-2025-43786Sep 9, 2025risk 0.00cvss —epss 0.00
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the…
- CVE-2025-51586Sep 8, 2025risk 0.00cvss —epss 0.01
An issue was discoverd in file controllers/admin/AdminLoginController.php in PrestaShop before 8.2.1 allowing attackers to gain sensitive information via the reset password feature.
- CVE-2025-43751Aug 22, 2025risk 0.00cvss —epss 0.00
User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA…
- CVE-2025-43743Aug 19, 2025risk 0.00cvss —epss 0.00
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view…
- CVE-2025-43739Aug 19, 2025risk 0.00cvss —epss 0.00
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the…
- CVE-2025-54999Aug 9, 2025risk 0.00cvss —epss 0.00
OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between…
- CVE-2025-6011Aug 1, 2025risk 0.00cvss —epss 0.00
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition…