CVE Catalog
CVE-2026-26895
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk0.35%
27th percentile - higher than 27% of all known CVEs
Summary
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.
Risk Assessment
The risk is that an attacker can compile a list of valid user accounts, facilitating brute-force or social engineering attacks against the system.
Recommendation
It is recommended to update osTicket to the latest version and implement response delay mechanisms for password reset requests to hinder enumeration.
Original NVD description (English source)
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.

