7379 matches found
JLSEC-2026-761
iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of message...
Chromium: CVE-2026-13809 Side-channel information leakage in Safe Browsing
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
CVE-2026-12426 Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel
The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the membersfilterprotectedpostsforrest. This makes it possible for unauthenticated attackers to extract determine the existence...
CVE-2026-54736 Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...
UBUNTU-CVE-2026-15041
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash...
PYSEC-2026-1811 PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack...
PT-2026-56190
A stored XPATH injection vulnerability exists in opnsense's trust module. Any user if given just System: CA Manager permissions can use a bool side channel/oracle to slowly leak any secret in config.xml character by character. the injection point is in the refid field of a ca object. Write-up for...
Chromium: CVE-2026-13790 Side-channel information leakage in Scroll
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
Chromium: CVE-2026-14071 Side-channel information leakage in WebAudio
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
Chromium: CVE-2026-14012 Side-channel information leakage in CSS
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
Chromium: CVE-2026-13935 Side-channel information leakage in ComputePressure
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
Chromium: CVE-2026-13922 Side-channel information leakage in Paint
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
Chromium: CVE-2026-14085 Side-channel information leakage in CSS
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
Chromium: CVE-2026-14074 Side-channel information leakage in WebAuthentication
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
GHSA-G5VH-55HW-RXM8 GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer
Summary The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords the primary use case, the timing difference between a valid and invalid username is approximately...
EUVD-2026-40772
Side-channel information leakage in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...
EUVD-2026-40608
Side-channel information leakage in Paint in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...
EUVD-2026-40621
Side-channel information leakage in ComputePressure in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...
EUVD-2026-40575
Side-channel information leakage in WebAuthentication in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...
EUVD-2026-40495
Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: High...