Filtered by CWE-203
Total 767 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-51926 1 Docuform 1 Client 2026-07-14 7.5 High
An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.
CVE-2026-14071 1 Google 1 Chrome 2026-07-14 6.5 Medium
Side-channel information leakage in WebAudio in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-58503 1 Frappe 1 Frappe 2026-07-13 N/A
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the reset_password endpoint. This issue is fixed in versions 16.16.0 and 15.106.0.
CVE-2026-56296 1 Cap-go 1 Cap-go 2026-07-13 5.3 Medium
Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transfer_app RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling transfer_app with only the publishable API key.
CVE-2026-44332 1 Gofiber 1 Fiber 2026-07-09 5.3 Medium
Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.
CVE-2026-14112 1 Google 1 Chrome 2026-07-01 5.3 Medium
Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-56327 1 Cap-go 1 Cap-go 2026-07-01 5.3 Medium
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.
CVE-2023-3640 2 Linux, Redhat 2 Linux Kernel, Enterprise Linux 2026-06-26 7 High
A possible unauthorized memory access flaw was found in the Linux kernel's cpu_entry_area mapping of X86 CPU data to memory, where a user may guess the location of exception stacks or other important data. Based on the previous CVE-2023-0597, the 'Randomize per-cpu entry area' feature was implemented in /arch/x86/mm/cpu_entry_area.c, which works through the init_cea_offsets() function when KASLR is enabled. However, despite this feature, there is still a risk of per-cpu entry area leaks. This issue could allow a local user to gain access to some important data with memory in an expected location and potentially escalate their privileges on the system.
CVE-2026-56316 1 Cap-go 1 Cap-go 2026-06-24 5.3 Medium
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/* endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to distinguish valid job IDs from invalid ones and generate sustained unauthenticated traffic for resource consumption.
CVE-2026-56319 1 Cap-go 1 Cap-go 2026-06-24 4.3 Medium
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps, breaking tenant isolation.
CVE-2026-47379 1 Nocodb 1 Nocodb 2026-06-24 N/A
NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the shared-view password check fell back to strict-equality (===) comparison for legacy plaintext passwords, leaking the password's length and per-character prefix through response timing. This vulnerability is fixed in 2026.05.1.
CVE-2023-54357 1 Artio 1 Joomla! Com Booking Component 2026-06-23 7.5 High
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.
CVE-2024-43546 1 Microsoft 15 Windows 10 21h2, Windows 10 21h2, Windows 10 22h2 and 12 more 2026-06-09 5.6 Medium
Windows Cryptographic Information Disclosure Vulnerability
CVE-2026-11284 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-06-09 6.5 Medium
Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-11289 4 Apple, Google, Linux and 1 more 4 Macos, Chrome, Linux Kernel and 1 more 2026-06-09 6.5 Medium
Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
CVE-2022-3907 1 Clerk.io 1 Clerk.io 2026-06-08 7.5 High
The Clerk WordPress plugin before 4.0.0 is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.
CVE-2022-46392 3 Arm, Fedoraproject, Trustedfirmware 3 Mbed Tls, Fedora, Mbed Tls 2026-06-05 5.3 Medium
An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) can recover an RSA private key after observing the victim performing a single private-key operation, if the window size (MBEDTLS_MPI_WINDOW_SIZE) used for the exponentiation is 3 or smaller.
CVE-2020-10932 4 Arm, Debian, Fedoraproject and 1 more 4 Mbed Tls, Debian Linux, Fedora and 1 more 2026-06-05 4.7 Medium
An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before 2.7.15. An attacker that can get precise enough side-channel measurements can recover the long-term ECDSA private key by (1) reconstructing the projective coordinate of the result of scalar multiplication by exploiting side channels in the conversion to affine coordinates; (2) using an attack described by Naccache, Smart, and Stern in 2003 to recover a few bits of the ephemeral scalar from those projective coordinates via several measurements; and (3) using a lattice attack to get from there to the long-term ECDSA private key used for the signatures. Typically an attacker would have sufficient access when attacking an SGX enclave and controlling the untrusted OS.
CVE-2024-23170 2 Arm, Trustedfirmware 2 Mbed Tls, Mbed Tls 2026-06-05 5.5 Medium
An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
CVE-2025-9031 1 Netdatasoft 1 Divvy Drive 2026-06-05 4.3 Medium
Observable Timing Discrepancy vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive Web allows Cross-Domain Search Timing. This issue affects DivvyDrive Web: from 4.8.2.2 before 4.8.2.15.