3232 matches found
CVE-2026-40972
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...
EUVD-2026-25936
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...
CVE-2026-40972
The CVE-2026-40972 involves a Timing Attack on the DevTools remote secret comparison in Spring Boot. An attacker on the same network can measure timing differences when the remote secret is compared, enabling character-by-character deduction of the secret. In extreme cases this could allow upload...
PT-2026-35540
Name of the Vulnerable Software and Affected Versions Spring Boot versions 4.0.0 through 4.0.5 Spring Boot versions 3.5.0 through 3.5.13 Spring Boot versions 3.4.0 through 3.4.15 Spring Boot versions 3.3.0 through 3.3.18 Spring Boot versions 2.7.0 through 2.7.32 Spring Boot versions prior to 2.7....
Exploit for Observable Timing Discrepancy in Triliumnotes Trilium
CVE-2025-68621 — Trilium Notes Timing Attack on /api/login/sy...
PYSEC-2026-76
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's urltosize helper used by getnumtokensfrommessages for image token counting validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack via the BasicAuth process. An attacker can enumerate valid usernames by measuring authentication response times, exploiting differences in processing between existing and non-existing users. Remediation Upgrade...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack via the BasicAuth process. An attacker can enumerate valid usernames by measuring authentication response times, exploiting differences in processing between existing and non-existing users. Remediation Upgrade...
Timing Attack
Overview github.com/traefik/traefik/v2/pkg/middlewares/auth is a Cloud Native Application Proxy. Affected versions of this package are vulnerable to Timing Attack via the BasicAuth process. An attacker can enumerate valid usernames by measuring authentication response times, exploiting difference...
CVE-2026-41244
Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...
CVE-2026-41244 Mojic: Observable Timing Discrepancy in HMAC Verification
Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...
CVE-2026-41244
Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...
CVE-2026-41244 Mojic: Observable Timing Discrepancy in HMAC Verification
Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...
EUVD-2026-25610
Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...
CVE-2026-41244
Affected software: Mojic CLI tool. Issue: CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during decryption, causing an observable timing discrepancy (CWE-208). Impact: potential attacker could bypass the file integrity check via a timing attack. Stat...
Timing Attack
Bouncy Castle is vulnerable to Timing Attack. The vulnerability is due to timing discrepancies in cryptographic operations within the FrodoEngine component, which allows an attacker to infer sensitive information through timing analysis...
PT-2026-35067
Name of the Vulnerable Software and Affected Versions Mojic versions prior to 2.1.4 Description The CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy, which is a situation where th...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic like String.equals or ==. Standard string comparisons are not constant-time. They evaluate...
EUVD-2026-24607
Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...
GHSA-VXF7-QJ7Q-83FH Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...