CVE-2018-25350 CRITICAL

CVE-2018-25350: userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php

Vendor Userspice

Product userSpice

Weakness CWE-204

Published May 23, 2026

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system.

Key dates

Disclosure timeline

May 23, 2026 CVE published

May 26, 2026 Record updated