An issue in the component route\user.php of Xiuno BBS v4.0.4 allows malicious users to enumerate usernames.
xiuno xiunobbs 4.0.4