Skip to main content

CWE-204

Observable Response Discrepancy

74 CVEs Avg CVSS 5.6 MITRE
2
CRITICAL
4
HIGH
63
MEDIUM
5
LOW
13
POC
0
KEV

Monthly

CVE-2026-53422 LOW PATCH Monitor

Path-traversal enumeration in Erlang OTP's ssh_sftpd module allows authenticated SFTP users to determine whether arbitrary filesystem paths exist outside the configured SFTP root directory. The SSH_FXP_REALPATH handler uniquely passes Canonicalize=false to relate_file_name/3, causing dotdot traversal sequences to skip the is_within_root/2 boundary check before entering resolve_symlinks/2, which then issues read_link() syscalls on arbitrary host paths. Affected versions span OTP 17.0 through the fixed releases 29.0.3, 28.5.0.3, and 27.3.4.14; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure Oracle Otp
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-53908 MEDIUM This Month

User enumeration in MyComplianceOffice (MCO) version 25.3.3.1 allows unauthenticated remote attackers to identify valid usernames and email addresses by observing distinguishable application responses from the password reset and username reminder endpoints. The CWE-204 Observable Response Discrepancy root cause means account existence is leaked through differential error messages, status codes, or redirect behavior - classic reconnaissance fodder for follow-on credential stuffing or targeted phishing against compliance personnel. No public exploit code has been identified and no CISA KEV listing exists; however, vendor contact was unsuccessful, leaving patch status unresolved and version scope uncertain beyond the confirmed 25.3.3.1 release.

Information Disclosure Mco
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-53947 MEDIUM PATCH This Month

Ghost CMS versions 5.18.0 through 6.21.1 expose registered member email addresses to unauthenticated enumeration via observable discrepancies in the members signin endpoint responses. Any Ghost site with the members feature active is affected, allowing an attacker to silently probe whether arbitrary email addresses belong to site subscribers. No public exploit or active exploitation (CISA KEV) has been identified; vendor patch is available in 6.21.1.

Information Disclosure Node.js Ghost
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-54445 PyPI MEDIUM PATCH This Month

Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administrative access by any network-accessible attacker who attempts the well-known username 'root' and password 'root'. The vantage6 server initializes with this superuser account on first deployment, and administrators who fail to change or delete it leave a predictable, trivially exploitable entry point. While not confirmed actively exploited (no CISA KEV listing), the predictability of the credential pair and the sensitivity of vantage6's federated privacy-preserving analytics data make this a meaningful operational risk for unpatched deployments.

Information Disclosure Vantage6
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-6207 CRITICAL Act Now

Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to perform system footprinting by analyzing observable discrepancies in server responses. The CVSS 9.1 score reflects high confidentiality and integrity impact over the network with no authentication required, though no public exploit identified at time of analysis. The vulnerability was reported by Turkey's national CERT (TR-CERT), suggesting it primarily affects deployments within Turkey's defense and government sectors where HAVELSAN products are commonly used.

Information Disclosure Geographic Tracking System
NVD VulDB
CVSS 3.1
9.1
CVE-2026-43926 MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Apache Information Disclosure Oracle Nginx Fossbilling
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-45620 PHP MEDIUM GHSA This Month

User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened `users.json.php` but left an identical unauthenticated code path alive in `objects/mention.json.php`, which calls `User::getAllUsers()` with no `loginCheck()` or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8242 LOW POC Monitor

Information disclosure in Industrial Application Software IAS Canias ERP 8.03 allows remote attackers to extract sensitive data through observable response discrepancies in the Login RMI Interface doAction function. The vulnerability requires high attack complexity but can be exploited without authentication or user interaction. Publicly available exploit code exists, though the vendor has not responded to early disclosure notifications.

Information Disclosure Canias Erp
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-44306 PHP MEDIUM PATCH GHSA This Month

Statamic CMS versions before 5.73.21 and 6.0-6.14.x disclose whether an email address is registered via differential responses from the forgot password endpoint, enabling unauthenticated attackers to enumerate valid user accounts and facilitate downstream credential-based attacks. The vulnerability has a CVSS score of 5.3 (low confidentiality impact) and no public exploit code or active exploitation has been identified.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20195 MEDIUM This Month

Unauthenticated remote attackers can enumerate valid user accounts on Cisco Identity Services Engine through an identity management API endpoint by analyzing differentiated error responses to crafted requests. The vulnerability enables account enumeration with no authentication required, network-accessible attack surface, and low complexity exploitation, resulting in partial information disclosure of valid usernames on affected systems.

Information Disclosure Cisco Cisco Identity Services Engine Software
NVD
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Path-traversal enumeration in Erlang OTP's ssh_sftpd module allows authenticated SFTP users to determine whether arbitrary filesystem paths exist outside the configured SFTP root directory. The SSH_FXP_REALPATH handler uniquely passes Canonicalize=false to relate_file_name/3, causing dotdot traversal sequences to skip the is_within_root/2 boundary check before entering resolve_symlinks/2, which then issues read_link() syscalls on arbitrary host paths. Affected versions span OTP 17.0 through the fixed releases 29.0.3, 28.5.0.3, and 27.3.4.14; no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Information Disclosure Oracle Otp
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

User enumeration in MyComplianceOffice (MCO) version 25.3.3.1 allows unauthenticated remote attackers to identify valid usernames and email addresses by observing distinguishable application responses from the password reset and username reminder endpoints. The CWE-204 Observable Response Discrepancy root cause means account existence is leaked through differential error messages, status codes, or redirect behavior - classic reconnaissance fodder for follow-on credential stuffing or targeted phishing against compliance personnel. No public exploit code has been identified and no CISA KEV listing exists; however, vendor contact was unsuccessful, leaving patch status unresolved and version scope uncertain beyond the confirmed 25.3.3.1 release.

Information Disclosure Mco
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Ghost CMS versions 5.18.0 through 6.21.1 expose registered member email addresses to unauthenticated enumeration via observable discrepancies in the members signin endpoint responses. Any Ghost site with the members feature active is affected, allowing an attacker to silently probe whether arbitrary email addresses belong to site subscribers. No public exploit or active exploitation (CISA KEV) has been identified; vendor patch is available in 6.21.1.

Information Disclosure Node.js Ghost
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Default hardcoded admin credentials in vantage6 expose servers running versions prior to 5.0.0 to unauthorized administrative access by any network-accessible attacker who attempts the well-known username 'root' and password 'root'. The vantage6 server initializes with this superuser account on first deployment, and administrators who fail to change or delete it leave a predictable, trivially exploitable entry point. While not confirmed actively exploited (no CISA KEV listing), the predictability of the credential pair and the sensitivity of vantage6's federated privacy-preserving analytics data make this a meaningful operational risk for unpatched deployments.

Information Disclosure Vantage6
NVD GitHub
CVSS 9.1
CRITICAL Act Now

Information disclosure in HAVELSAN Geographic Tracking System versions prior to v0.0.2 allows remote unauthenticated attackers to perform system footprinting by analyzing observable discrepancies in server responses. The CVSS 9.1 score reflects high confidentiality and integrity impact over the network with no authentication required, though no public exploit identified at time of analysis. The vulnerability was reported by Turkey's national CERT (TR-CERT), suggesting it primarily affects deployments within Turkey's defense and government sectors where HAVELSAN products are commonly used.

Information Disclosure Geographic Tracking System
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Password reset token enumeration in FOSSBilling prior to 0.8.0 exposes three authentication endpoints - including the elevated-privilege admin reset at `/staff/email/:hash` - to unlimited brute-force guessing due to a rate limiter architecturally scoped exclusively to `/api/*` routes. The confirmation endpoint acts as a CWE-204 oracle, returning distinguishable HTTP responses (200 for valid tokens, 302 redirect for invalid), allowing an unauthenticated remote attacker to probe token validity without throttling, lockout, or attempt counting. Practical exploitation risk is substantially reduced by 256-bit token entropy (`hash('sha256', random_bytes(32))`) combined with a 15-minute expiry window, which is accurately reflected in the CVSS 4.0 AC:H/AT:P scoring; no public exploit or CISA KEV listing has been identified at time of analysis.

Apache Information Disclosure Oracle +2
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

User enumeration in AVideo (composer/WWBN/AVideo ≤ 29.0) exposes account metadata - names, email addresses, usernames, and channel names - to unauthenticated remote attackers through an incomplete patch for CVE-2026-43881. The original fix (commit d9cdc7024) hardened `users.json.php` but left an identical unauthenticated code path alive in `objects/mention.json.php`, which calls `User::getAllUsers()` with no `loginCheck()` or authorization gate. No public exploit is identified at time of analysis, though the trivial HTTP-based trigger and absence of authentication make this a realistic reconnaissance primitive for credential-stuffing or phishing campaigns.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 2.9
LOW POC Monitor

Information disclosure in Industrial Application Software IAS Canias ERP 8.03 allows remote attackers to extract sensitive data through observable response discrepancies in the Login RMI Interface doAction function. The vulnerability requires high attack complexity but can be exploited without authentication or user interaction. Publicly available exploit code exists, though the vendor has not responded to early disclosure notifications.

Information Disclosure Canias Erp
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Statamic CMS versions before 5.73.21 and 6.0-6.14.x disclose whether an email address is registered via differential responses from the forgot password endpoint, enabling unauthenticated attackers to enumerate valid user accounts and facilitate downstream credential-based attacks. The vulnerability has a CVSS score of 5.3 (low confidentiality impact) and no public exploit code or active exploitation has been identified.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote attackers can enumerate valid user accounts on Cisco Identity Services Engine through an identity management API endpoint by analyzing differentiated error responses to crafted requests. The vulnerability enables account enumeration with no authentication required, network-accessible attack surface, and low complexity exploitation, resulting in partial information disclosure of valid usernames on affected systems.

Information Disclosure Cisco Cisco Identity Services Engine Software
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy