Formalms
CVE-2026-26744
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
AnalysisAI
FormaLMS 4.1.18 and earlier allows unauthenticated attackers to enumerate valid usernames through the password recovery endpoint by observing differential error messages. This user enumeration vulnerability could enable an attacker to build a list of active accounts for targeted attacks. No patch is currently available for this medium-severity issue.
Technical ContextAI
Affects the password recovery component of Formalms. A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=s
Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. Rated high severity (CVS
Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. Rated high severity (CVS
Exploitable SQL injection vulnerabilities exist in the authenticated portion of Forma LMS 2.2.1. Rated high severity (CV
Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Rated high severity (C
An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3. Rated critical sev
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the rol
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. Rated high severity (CVSS 8.8
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the rol
Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms before 1.2.1 p01 allow remote attackers to inject arbit
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. Rated medium severity (CVSS 6
Same weakness CWE-204 – Observable Response Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today