1215 matches found
CVE-2026-33677
Vikunja (self-hosted task management) prior to version 2.2.1 exposes webhook BasicAuth credentials (basic_auth_user, basic_auth_password) via GET /api/v1/projects/:project/webhooks to any user with read access. The code already masks the HMAC secret, but the BasicAuth fields were not masked after...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
CVE-2026-33315
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...
Vikunja 信息泄露漏洞
Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.2.1 contained a security vulnerability where the GET /api/v1/projects/:project/webhooks endpoint returned BasicAuth credentials in plain text, potentially leading to credential exposure...
Vikunja 安全漏洞
Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from Caldav endpoints allowing login using basic authentication, which could enable users to bypass TOTP accounts that...
GO-2026-4794 Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api
Vikunja has a 2FA Bypass via Caldav Basic Auth in code.vikunja.io/api...
CVE-2026-32595
A flaw was found in Traefik. An unauthenticated attacker can exploit a timing attack vulnerability in the BasicAuth middleware. By observing the time it takes for the middleware to respond, an attacker can determine if a submitted username is valid or not. This information disclosure allows for...
SUSE CVE-2026-32595
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the caldav authentication process. An attacker can gain unauthorized access to sensitive project information by bypassing two-factor authentication using Basic Authentication...
Vikunja has a 2FA Bypass via Caldav Basic Auth
Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...
EUVD-2026-13664
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration...
Timing Attack
Overview github.com/traefik/traefik/v2/pkg/middlewares/auth is a Cloud Native Application Proxy. Affected versions of this package are vulnerable to Timing Attack via the BasicAuth middleware. An attacker can enumerate valid usernames by measuring the response time differences when submitting...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack via the BasicAuth middleware. An attacker can enumerate valid usernames by measuring the response time differences when submitting authentication requests. Remediation Upgrade...
CVE-2026-32595
Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...
CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils
H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...
CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils
H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...
CVE-2026-33129
H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...
Traefik 安全漏洞
Traefik is an open-source reverse proxy and load balancing tool developed by Traefik. Versions of Traefik such as 2.11.40, 3.0.0-beta1 to 3.6.11, and 3.7.0-ea.1 contain security vulnerabilities. These vulnerabilities stem from a timing discrepancy in the BasicAuth middleware, which may lead to...