CWE-204 · Observable Response Discrepancy

160 CVEs classified under CWE-204 (Observable Response Discrepancy). Browse by severity and year.

Top CVEs for CWE-204
CVESeverityScorePublishedSummary
CVE-2018-25350Critical9.82026-05-23userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to th…
CVE-2025-5485High8.62025-06-12User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malici…
CVE-2026-33419High7.52026-03-24MinIO is a high-performance object storage system. Prior to RELEASE.2026-03-17T21-25-16Z, MinIO AIStor's STS (Security Token Service) AssumeRoleWithLDAPIdentit…
CVE-2025-12455High7.52026-03-13Observable response discrepancy vulnerability in OpenText™ Vertica allows Password Brute Forcing.   The vulnerability could lead to Password Brute Forcing in V…
CVE-2025-46390High7.52025-08-06CWE-204: Observable Response Discrepancy
CVE-2025-3092High7.52025-06-24An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
CVE-2021-20049High7.52021-12-23A vulnerability in SonicWall SMA100 password change API allows a remote unauthenticated attacker to perform SMA100 username enumeration based on the server res…
CVE-2021-34580High7.52021-10-27In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted…
CVE-2026-4113High7.22026-04-09An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.
CVE-2026-34264Medium6.52026-04-14During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low…
CVE-2025-67874Medium6.52025-12-16ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent…
CVE-2025-66307Medium6.52025-12-01This admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages. Prior to 1.11.0-beta…
CVE-2025-61907Medium6.52025-10-16Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could a…
CVE-2023-46170Medium6.52024-03-07IBM DS8900F HMC 89.21.19.0, 89.21.31.0, 89.30.68.0, 89.32.40.0, and 89.33.48.0 could allow an authenticated user to arbitrarily read files after enumerating fi…
CVE-2022-39315Medium6.52022-10-25Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6.2, 3.7.5.1, and 3.8.1, a user enumeration vulnerability affects all Kirby sites with use…
CVE-2021-38476Medium6.52021-10-19InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 authentication process response indicates and validates the existence of a username. This m…
CVE-2024-28232Medium6.22024-04-01Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vu…
CVE-2024-24766Medium6.22024-03-06CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed…
CVE-2025-9824Medium5.92025-09-03ImpactThe attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid usernames, after whi…
CVE-2024-40627Medium5.82024-07-15Fastapi OPA is an opensource fastapi middleware which includes auth flow. HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack au…