Lucene search
K

293 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/04 5:42 p.m.7 views

CVE-2026-41571

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...

9.4CVSS5.7AI score0.00296EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.9 views

PT-2026-37162

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.25.0 Description The WebSocket login path, which involves sending login: username, password messages over an established connection, calls the app.securityStrategy.login function directly without rate...

8.7CVSS5.8AI score0.00327EPSS
Exploits1References11
Tenable Nessus
Tenable Nessus
added 2026/05/02 12:0 a.m.3 views

Fedora 43 : perl-CryptX (2026-3e1f671a17)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3e1f671a17 advisory. 0.088 2026-04-23 - Crypt::KeyDerivation - new functions: pbkdf1openssl, bcryptpbkdf, scryptpbkdf, argon2pbkdf - Crypt::Misc - new functions: randomv7uuid,...

7.5CVSS5.8AI score0.00447EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/30 8:39 p.m.6 views

CVE-2026-41263 Traefik: BasicAuth middleware: timing side-channel vulnerability

Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to ho...

6.3CVSS5.7AI score0.00369EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/29 6:41 p.m.5 views

Security Bulletin: Multiple vulnerabilities in IBM Aspera Enterprise WebApps

Summary Multiple vulnerabilities were addressed in IBM Aspera Enterprise WebApps version 1.0.2.1 Vulnerability Details CVEID:CVE-2026-33306 DESCRIPTION: bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt...

8.7CVSS6.3AI score0.0061EPSS
Exploits1Affected Software3
Github Security Blog
Github Security Blog
added 2026/04/28 6:30 p.m.12 views

Netmaker does not verify JWT signatures for host tokens

Netmaker by Gravitl is an open-source WireGuard-based networking platform for creating and managing virtual overlay networks. The VerifyHostToken function in logic/jwts.go does not validate the JWT signature when verifying host tokens. After calling jwt.ParseWithClaims, the function only checks...

8.2CVSS5.8AI score0.00298EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/25 11:40 p.m.6 views

GHSA-PXF8-6WQM-R6HH Note Mark: OIDC-registered users authenticated by submitting password "null"

Summary IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for...

9.4CVSS5.8AI score0.00296EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/25 11:40 p.m.13 views

Note Mark: OIDC-registered users authenticated by submitting password "null"

Summary IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for...

9.4CVSS5.4AI score0.00296EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.6 views

PT-2026-35063

Name of the Vulnerable Software and Affected Versions 4ga Boards versions prior to 3.3.5 Description 4ga Boards is a boards system for realtime project management. The software allows user enumeration through a timing side-channel in the login endpoint '/api/access-tokens'. The server responds...

5.3CVSS5.2AI score0.00197EPSS
Exploits0References4
NVD
NVD
added 2026/04/17 1:17 a.m.4 views

CVE-2026-40263

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...

3.7CVSS0.002EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/16 11:53 p.m.7 views

CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...

3.7CVSS5.7AI score0.002EPSS
Exploits0References2
CVE
CVE
added 2026/04/16 11:53 p.m.7 views

CVE-2026-40263

Note Mark: Timing-based username enumeration vulnerability in login endpoint. Versions

3.7CVSS5.7AI score0.002EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/13 7:31 p.m.9 views

Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Summary A timing side-channel in the login endpoint allows unauthenticated attackers to determine whether a username exists by measuring response time differences. Requests for valid usernames take noticeably longer because the server performs bcrypt password verification, while requests for...

3.7CVSS5.9AI score0.002EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/08 12:7 a.m.6 views

Parse Server has a login timing side-channel reveals user existence

Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant...

6.3CVSS5.9AI score0.0023EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/08 12:7 a.m.7 views

GHSA-MMPQ-5HCV-HF2V Parse Server has a login timing side-channel reveals user existence

Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant...

6.3CVSS5.8AI score0.0023EPSS
Exploits0References5
NVD
NVD
added 2026/04/07 6:16 p.m.6 views

CVE-2026-39321

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the...

6.3CVSS0.0023EPSS
Exploits0References3
OSV
OSV
added 2026/03/27 2:3 p.m.6 views

OESA-2026-1723 rubygem-bcrypt security update

bcrypt is a sophisticated and secure hash algorithm designed by The OpenBSD project for hashing passwords. bcrypt-ruby provides a simple, humane wrapper for safely handling passwords. Security Fixes: bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt password hashing algorithm. Prior to version...

7.5CVSS5.8AI score0.00228EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.4 views

CVE-2026-32890

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting XSS vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the...

9.6CVSS6AI score0.00427EPSS
Exploits0References1
OSV
OSV
added 2026/03/24 7:18 p.m.7 views

GHSA-7789-65HX-F26W FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel

Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable dela...

5.3CVSS5.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/24 7:18 p.m.7 views

FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel

Summary The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable dela...

5.9AI score
Exploits0References4Affected Software1
Rows per page
Query Builder