CVE-2026-26744

MEDIUM

FormaLMS <4.1.18 - Info Disclosure

Title source: llm

Description

A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.

Exploits (1)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-26744

View Code ZIP pw:eip

References (2)

[Various Sources] https://github.com/formalms/formalms.git

[Various Sources] https://github.com/lorenzobruno7/CVE-2026-26744

View Exploit ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0004

EPSS Percentile 10.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-204

Status published

Affected Products (1)

formalms/formalms < 4.1.18

Timeline

Published Feb 19, 2026

Tracked Since Feb 20, 2026