3242 matches found
CVE-2026-27480 Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Static Web Server SWS is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,...
GHSA-QHP6-635J-X7R2 Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
PT-2026-21333
Name of the Vulnerable Software and Affected Versions Static Web Server versions 2.1.0 through 2.40.1 Description Static Web Server SWS has a timing-based username enumeration issue in Basic Authentication. The server checks if a username exists before verifying the password. Valid usernames...
Timing Attack
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Timing Attack via the timingSafeEqual function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons. Remediation Upgrade ho...
GHSA-GQ3J-XVXP-8HRF Hono added timing comparison hardening in basicAuth and bearerAuth
Summary The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal string equality === when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing...
Side-Channel Attacks Against LLMs
Here are three papers describing different side-channel attacks against LLMs. "Remote Timing Attacks on Efficient Language Model Inference": Abstract: Scaling up language models has significantly increased their capabilities. But larger models are slower models, and so there is now an extensive...
CVE-2026-26185
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between...
OESA-2026-1344 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsg...
OESA-2026-1343 python-django security update
A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in Django versions before 6.0.2, before 5.2.11, and before 4.2.28. The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsg...
Information Exposure
Overview @directus/api is a real-time API and App dashboard for managing SQL database content Affected versions of this package are vulnerable to Information Exposure via the password reset functionality. An attacker can determine the existence of user accounts by measuring response time...
GHSA-JR94-GJ3H-C8RF Directus Vulnerable to User Enumeration via Password Reset Timing Attack
Summary A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. Details The password rese...
Directus Vulnerable to User Enumeration via Password Reset Timing Attack
Summary A timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. Details The password rese...
CVE-2026-26185 Directus Affected by User Enumeration via Password Reset Timing Attack
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between...
CVE-2026-26185 Directus Affected by User Enumeration via Password Reset Timing Attack
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between...
CVE-2026-26185
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between...
CVE-2026-26185
Directus before v11.14.1 is affected by a timing-based user enumeration vulnerability in the password reset flow. When an invalid reset_url is supplied, responses differ by about 500ms between existing and non-existing users, enabling enumeration of valid usernames. The issue is fixed in v11.14.1...
CVE-2026-26185 Directus Affected by User Enumeration via Password Reset Timing Attack
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reseturl parameter is provided, the response time differs by approximately 500ms between...
Security update for zabbix
This update for zabbix fixes the following issues: CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using alert.get...
Security update for python-Django
This update for python-Django fixes the following issues: CVE-2025-14550: Fixed potential denial-of-service via repeated headers when using ASGIbsc1257403 CVE-2026-1312: Fixed potential SQL injection via QuerySet.orderby and FilteredRelation bsc1257408 CVE-2026-1287: Fixed potential SQL injection...