Forma Lms · Forma Lms · CVE-2026-26744
**Name of the Vulnerable Software and Affected Versions**
FormaLMS versions 4.1.18 and below
**Description**
A flaw exists in the password recovery functionality of FormaLMS that allows for user enumeration. An unauthenticated attacker can determine valid registered usernames by observing differing error messages returned by the application. This is accessible via the `/lostpwd` API endpoint. The application reveals whether a username exists based on the response received.
**Recommendations**
Versions prior to 4.1.18 should be updated.