Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
FormaLMS Password Recovery Exposes Registered Usernames
CVE-2026-26744
Summary
FormaLMS versions 4.1.18 and below allow attackers to discover valid usernames by analyzing error messages returned when attempting to recover passwords. This can be exploited by malicious individuals to gather information about the system's user base. Update to the latest version of FormaLMS to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| formalms | formalms | <= 4.1.18 | – |
Original title
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages fo...
Original description
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
nvd CVSS3.1
5.3
Vulnerability type
CWE-204
- https://github.com/formalms/formalms.git Product
- https://github.com/lorenzobruno7/CVE-2026-26744 Third Party Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026