CVE-2026-31889 Shopware has a potential take over of app credentials

Shopware is an open commerce platform. Prior to 6.6.10.15 and 6.7.8.1, a vulnerability in the Shopware app registration flow that could, under specific conditions, allow attackers to take over the communication channel between a shop and an app. The legacy app registration flow used HMAC‑based...

GO-2026-4622 OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes in github.com/OliveTin/OliveTin

OliveTin has JWT Audience Validation Bypass in Local Key and HMAC Modes in github.com/OliveTin/OliveTin...

CVE-2026-30223 OliveTin: JWT Audience Validation Bypass in Local Key and HMAC Modes

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" local RSA public key or "authJwtHmacSecret" HMAC secret, the configured audience value authJwtAud is not enforced during toke...

EUVD-2026-8680

An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...

OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function

An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...

GHSA-XJHR-FM27-4HMX OpenFUN Richie Observable Timing Discrepancy in its sync_course_run_from_request function

An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...

CVE-2026-26717

An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...

CVE-2026-26717

An issue in OpenFUN Richie LMS in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the synccourserunfromrequest function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response...

Richie 安全漏洞

Richie is an open-source educational content management system developed by France Université Numérique. Richie has a security vulnerability. This vulnerability stems from the use of the non-constant time == operator in the synccourserunfromrequest function for HMAC signature verification. This...

CVE-2025-68621

Trilium Notes has a timing-attack vulnerability in the sync authentication endpoint (/api/login/sync) affecting versions before 0.101.0. Unauthenticated remote attackers can recover HMAC hashes byte-by-byte via statistical timing analysis, enabling complete authentication bypass and full read/wri...

RustFS's RPC signature verification logs shared secret

Summary Invalid RPC signatures cause the server to log the shared HMAC secret and expected signature, which exposes the secret to log readers and enables forged RPC calls. Details In crates/ecstore/src/rpc/httpauth.rs:115-122 , the invalid signature branch logs sensitive data: rs if signature !=...

CVE-2013-10031

Plack-Middleware-Session (Perl) versions before 0.17 are vulnerable to HMAC comparison timing attacks. Affected component: Plack::Middleware::Session; root cause is a timing-attack vulnerability in HMAC comparison. Impact is described as a potential exposure via timing differences, with no explic...

[SECURITY] [DSA 6069-1] openvpn security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6069-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso December 03, 2025 https://www.debian.org/security/faq -...

USN-7898-1: OpenVPN vulnerability

Joshua Rogers discovered that OpenVPN incorrectly handled HMAC verification checks. A remote attacker could possibly use this issue to bypass source IP address validation...

USN-7898-1 openvpn vulnerability

Joshua Rogers discovered that OpenVPN incorrectly handled HMAC verification checks. A remote attacker could possibly use this issue to bypass source IP address validation...

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack in the SharedKey::sign function. An attacker can potentially forge signatures by exploiting differences in processing time during HMAC signature verification. Remediation Upgrade httpsig to version 0.0.19 or higher...

GHSA-Q7PG-9PR4-MRP2 httpsig-rs: HMAC verification is vulnerable to timing attack

Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. Details SharedKey::sign returns a Vec which has a non-constant-time equality implementation. Hmac::finalize returns a constant-time wrapper CtOutput which was discarded. Alternatively, Hmac has a constant-ti...

httpsig-rs: HMAC verification is vulnerable to timing attack

Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. Details SharedKey::sign returns a Vec which has a non-constant-time equality implementation. Hmac::finalize returns a constant-time wrapper CtOutput which was discarded. Alternatively, Hmac has a constant-ti...

CVE-2025-59058

Affected software: httpsig-rs (Rust implementation of IETF RFC 9421 http message signatures). Vulnerability: Prior to version 0.0.19, HMAC signature comparison is not timing-safe, allowing a timing attack to forge signatures during HS256 verification. Impact (as stated): Attack could forge a sign...

Linux Distros Unpatched Vulnerability : CVE-2022-48566

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in comparedigest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable...