CVE-2026-26744

Name of the Vulnerable Software and Affected Versions FormaLMS versions 4.1.18 and below

Description A flaw exists in the password recovery functionality of FormaLMS that allows for user enumeration. An unauthenticated attacker can determine valid registered usernames by observing differing error messages returned by the application. This is accessible via the /lostpwd API endpoint. The application reveals whether a username exists based on the response received.

Recommendations Versions prior to 4.1.18 should be updated.