Skip to main content

CWE-203

Observable Discrepancy

476 CVEs Avg CVSS 5.7 MITRE
12
CRITICAL
74
HIGH
342
MEDIUM
48
LOW
99
POC
1
KEV

Monthly

CVE-2026-56339 HIGH PATCH This Week

Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
8.7
CVE-2026-56296 MEDIUM PATCH This Month

Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-58503 MEDIUM PATCH This Month

User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.

Information Disclosure Frappe
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-51926 HIGH This Week

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Information Disclosure PHP
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-44332 Go MEDIUM PATCH GHSA This Month

Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Oracle Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-14112 MEDIUM PATCH This Month

Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56327 MEDIUM PATCH This Month

Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.

Information Disclosure Capgo
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56316 MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56319 MEDIUM PATCH This Month

Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2023-54357 HIGH POC This Week

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomla Com Booking Component
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVSS 8.7
HIGH PATCH This Week

Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.

Information Disclosure Frappe
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.

Information Disclosure PHP
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Oracle Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.

Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.

Information Disclosure Capgo
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP Joomla Com Booking Component
NVD Exploit-DB VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy