CWE-204: Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Last updated
Overview
CWE-204 (Observable Response Discrepancy) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
154 recorded CVEs are caused by CWE-204 (Observable Response Discrepancy). The highest-severity and most recent are shown first. 45 new CWE-204 CVEs have been recorded so far in 2026 (51 in 2025).
- CVE-2018-25350
userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php
Critical · CVSS 9.3 · EPSS 35th2026-05-23 - CVE-2026-15747
Mojolicious versions from 4.59 before 9.48 for Perl expose a stable representation of the session CSRF token to a BREACH compression oracle
Critical · CVSS 9.1 · EPSS 16th2026-07-14 - CVE-2025-5485
SinoTrack GPS Receiver Weak Authentication
High · CVSS 8.8 · EPSS 32th