CVE-2026-26744
MEDIUMFormaLMS < 4.1.18 - Unauthenticated User Enumeration via Password Recovery Response Discrepancy
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2026-26744. PoCs published by XiaomingX, lorenzobruno7.
AI-analyzed exploit summary The repository describes a user enumeration vulnerability (CWE-204) in FormaLMS via the `/lostpwd` endpoint, where differential error messages reveal valid usernames. No exploit code is provided, but the technical details are clear and actionable.
Description
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.
Exploits (2)
The repository describes a user enumeration vulnerability (CWE-204) in FormaLMS via the `/lostpwd` endpoint, where differential error messages reveal valid usernames. No exploit code is provided, but the technical details are clear and actionable.
The repository describes a user enumeration vulnerability (CWE-204) in FormaLMS via the `/lostpwd` endpoint, where differential error messages reveal valid usernames. No exploit code is provided, but the technical details are clear and actionable.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N