CVE Catalog

CVE-2026-26895

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.

Risk Assessment

The risk is that an attacker can compile a list of valid user accounts, facilitating brute-force or social engineering attacks against the system.

Recommendation

It is recommended to update osTicket to the latest version and implement response delay mechanisms for password reset requests to hinder enumeration.

Original NVD description (English source)

User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS