Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2018-25350: userSpice 4.3.24: Unauthenticated Attackers Can Discover Valid Usernames
CVE-2018-25350
Summary
UserSpice, a user management system, has a security weakness that lets attackers find valid usernames without logging in. This could be used to guess or find existing accounts. To fix this, update to a newer version of UserSpice that addresses this issue.
Original title
userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. ...
Original description
userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-204
Published: 23 May 2026 · Updated: 30 May 2026 · First seen: 26 May 2026