CVE-2026-26744

CVSS 5.3 MEDIUMEPSS 0.3%CWE-204

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

19 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/formalms/formalms.git https://github.com/lorenzobruno7/CVE-2026-26744