VYPR

CWE-204

Observable Response Discrepancy

BaseIncomplete

Description

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-331 · CAPEC-332 · CAPEC-541 · CAPEC-580

CVEs mapped to this weakness (79)

page 3 of 4
  • CVE-2025-67806LowApr 1, 2026
    risk 0.24cvss 3.7epss 0.00

    The login mechanism of Sage DPW 2021_06_004 displays distinct responses for valid and invalid usernames, allowing enumeration of existing accounts in versions before 2021_06_000. On-premise administrators can toggle this behavior in newer versions.

  • CVE-2026-4045LowMar 12, 2026
    risk 0.24cvss 3.7epss 0.00

    A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level…

  • CVE-2025-9109LowAug 18, 2025
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible…

  • CVE-2025-48015LowMay 20, 2025
    risk 0.24cvss 3.7epss 0.00

    Failed login response could be different depending on whether the username was local or central.

  • CVE-2024-12663LowDec 16, 2024
    risk 0.24cvss 3.7epss 0.00

    A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be…

  • CVE-2026-39851MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Saleor is an e-commerce platform. From 2.10.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, the requestEmailChange() mutation was revealing the existence of user-provided email addresses in error messages. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and…

  • CVE-2026-54445Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password…

  • CVE-2026-33323Mar 24, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on…

  • CVE-2026-33688Mar 23, 2026
    risk 0.00cvss epss 0.00

    WWBN AVideo is an open source video platform. In versions up to and including 26.0, the password recovery endpoint at `objects/userRecoverPass.php` performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to…

  • CVE-2026-31901Mar 11, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs…

  • CVE-2026-31888Mar 11, 2026
    risk 0.00cvss epss 0.00

    Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer…

  • CVE-2026-28358Mar 2, 2026
    risk 0.00cvss epss 0.01

    NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.

  • CVE-2026-25138Feb 25, 2026
    risk 0.00cvss epss 0.00

    Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a…

  • CVE-2026-27480Feb 21, 2026
    risk 0.00cvss epss 0.00

    Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses…

  • CVE-2026-25509Feb 3, 2026
    risk 0.00cvss epss 0.00

    CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can…

  • CVE-2026-23511Jan 15, 2026
    risk 0.00cvss epss 0.00

    ZITADEL is an open source identity management platform. Prior to 4.9.1 and 3.4.6, a user enumeration vulnerability has been discovered in Zitadel's login interfaces. An unauthenticated attacker can exploit this flaw to confirm the existence of valid user accounts by iterating…

  • CVE-2025-69413Jan 1, 2026
    risk 0.00cvss epss 0.00

    In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.

  • CVE-2025-66307Dec 1, 2025
    risk 0.00cvss epss 0.00

    This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta.1, a user enumeration and email disclosure vulnerability exists in Grav. The "Forgot Password" functionality at…

  • CVE-2025-46047Sep 2, 2025
    risk 0.00cvss epss 0.00

    A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determine valid usernames via the Login parameter.

  • CVE-2025-46736May 6, 2025
    risk 0.00cvss epss 0.00

    Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No…