CWE-204 · Observable Response Discrepancy
160 CVEs classified under CWE-204 (Observable Response Discrepancy). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2018-25350 | Critical | 9.8 | 2026-05-23 | userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to th… |
CVE-2025-5485 | High | 8.6 | 2025-06-12 | User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malici… |
CVE-2026-33419 | High | 7.5 | 2026-03-24 | MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentit… |
CVE-2025-12455 | High | 7.5 | 2026-03-13 | Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing. The vulnerability could lead to Password Brute Forcing in V… |
CVE-2025-46390 | High | 7.5 | 2025-08-06 | CWE-204: Observable Response Discrepancy |
CVE-2025-3092 | High | 7.5 | 2025-06-24 | An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. |
CVE-2021-20049 | High | 7.5 | 2021-12-23 | A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server res… |
CVE-2021-34580 | High | 7.5 | 2021-10-27 | In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted… |
CVE-2026-4113 | High | 7.2 | 2026-04-09 | An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials. |
CVE-2026-34264 | Medium | 6.5 | 2026-04-14 | During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low… |
CVE-2025-67874 | Medium | 6.5 | 2025-12-16 | ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent… |
CVE-2025-66307 | Medium | 6.5 | 2025-12-01 | This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta… |
CVE-2025-61907 | Medium | 6.5 | 2025-10-16 | Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could a… |
CVE-2023-46170 | Medium | 6.5 | 2024-03-07 | IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily read files after enumerating fi… |
CVE-2022-39315 | Medium | 6.5 | 2022-10-25 | Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with use… |
CVE-2021-38476 | Medium | 6.5 | 2021-10-19 | InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 authentication process response indicates and validates the existence of a username. This m… |
CVE-2024-28232 | Medium | 6.2 | 2024-04-01 | Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vu… |
CVE-2024-24766 | Medium | 6.2 | 2024-03-06 | CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed… |
CVE-2025-9824 | Medium | 5.9 | 2025-09-03 | ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after whi… |
CVE-2024-40627 | Medium | 5.8 | 2024-07-15 | Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack au… |