CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...

CVE-2026-32595

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...

CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...

CVE-2026-32595

Traefik vulnerability CVE-2026-32595 affects the BasicAuth middleware in multiple releases. When a submitted username exists, a bcrypt comparison runs ~166 ms; if the username does not exist, the response is ~0.6 ms. This timing difference enables an unauthenticated attacker to distinguish valid ...

EUVD-2026-13590

A flaw has been found in itsourcecode University Management System 1.0. Impacted is an unknown function of the file /adminsinglestudentupdate.php. This manipulation of the argument stname causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be...

CVE-2026-0677

CVE-2026-0677 concerns the WordPress plugin TotalContest Lite (

CVE-2026-33075

FastGPT (AI Agent platform) has a documented vulnerability in versions 4.14.8.3 and earlier affecting the fastgpt-preview-image.yml workflow. The issue arises from using pull_request_target, which can access repository secrets, while checking out code from the PR author’s fork and building/pushin...

CVE-2026-4478

A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.120171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be...

CVE-2026-4478 Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification

A vulnerability was identified in Yi Technology YI Home Camera 2 2.1.120171024151200. This impacts an unknown function of the file home/web/ipc of the component HTTP Firmware Update Handler. The manipulation leads to improper verification of cryptographic signature. The attack is possible to be...

CVE-2026-4477

A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.120171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack can only be done within the local network. This attack is...

CVE-2026-4477 Yi Technology YI Home Camera WPA/WPS hard-coded key

A vulnerability was determined in Yi Technology YI Home Camera 2 2.1.120171024151200. This affects an unknown function of the component WPA/WPS. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack can only be done within the local network. This attack is...

EUVD-2026-13565

A security flaw has been discovered in itsourcecode Online Frozen Foods Ordering System 1.0. Affected by this issue is some unknown functionality of the file /admin/admineditmenu.php. Performing a manipulation of the argument productname results in sql injection. It is possible to initiate the...

EUVD-2026-13567

A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /admin/admineditemployee.php. Executing a manipulation of the argument FirstName can lead to sql injection. It is possible to launch the attack remotely. The exploit ha...

DoJ Disrupts 3 Million-Device IoT Botnets Behind Record 31.4 Tbps Global DDoS Attacks

The U.S. Department of Justice DoJ on Thursday announced the disruption of command-and-control C2 infrastructure used by several Internet of Things IoT botnets like AISURU, Kimwolf, JackSkid, and Mossad as part of a court-authorized law enforcement operation. The effort also saw authorities from...

CVE-2026-4474

The CVE-2026-4474 entry concerns itsourcecode University Management System 1.0. The vulnerability lies in the admin_single_student_update.php function, where manipulation of the st_name argument enables cross-site scripting (XSS). The attack can be initiated remotely and exploit code has been pub...

CVE-2026-32768 Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as...

CVE-2026-4471 itsourcecode Online Frozen Foods Ordering System admin_edit_employee.php sql injection

A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /admin/admineditemployee.php. Executing a manipulation of the argument FirstName can lead to sql injection. It is possible to launch the attack remotely. The exploit ha...

Timing Attack

Overview phpseclib/phpseclib is a PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. Affected versions of this package are vulnerable to Timing Attack via the AES algorithm in CBC mode. An attacker can recover sensitive information by exploiting timin...

CVE-2026-32941

Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM Out-of-Memory vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an...

CVE-2026-32950

CVE-2026-32950 affects SQLBot prior to 1.7.0, where an authenticated user can trigger a critical SQL Injection in the /api/v1/datasource/uploadExcel endpoint. The root cause is unsanitized Excel sheet names concatenated into PostgreSQL table names and embedded into COPY statements via f-strings i...