1215 matches found
CVE-2026-24455
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-27480
Static Web Server SWS is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,...
CVE-2026-27480 Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Static Web Server SWS is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,...
CVE-2026-27480 Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Static Web Server SWS is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,...
CVE-2026-27480
CVE-2026-27480 affects Static Web Server (SWS) versions 2.1.0 through 2.40.1. The vulnerability is a timing-based username enumeration in Basic Authentication: the server checks whether a username exists before validating the password, causing valid usernames to take a slower path (e.g., bcrypt h...
CVE-2026-27480
Static Web Server SWS is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,...
CVE-2026-27480 Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Static Web Server SWS is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,...
Use of Default Credentials
Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Use of Default Credentials in the basicauth.ini file. An attacker...
GHSA-GQ3W-7JJ3-X7GR MLflow Use of Default Password Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...
Static Web Server 安全漏洞
Static Web Server is a static web server developed by the German company Static Web Server. Versions 2.1.0 to 2.40.1 of Static Web Server contain security vulnerabilities. These vulnerabilities stem from time-based username enumeration in basic authentication, which may lead to brute-force attack...
CVE-2026-2635
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...
CVE-2026-2635
MLflow before version 3.8.0 is affected by an authentication bypass (CVE-2026-2635) due to default credentials in basic_auth.ini, allowing remote, unauthenticated attackers to bypass authentication and execute arbitrary code with administrator privileges. Root cause: hard-coded default credential...
GHSA-QHP6-635J-X7R2 Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
CVE-2026-24455
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-24455
CVE-2026-24455 affects the embedded web interface of the Jinan USR IOT USR-W610. The interface does not support HTTPS/TLS and relies on HTTP Basic Authentication, meaning credentials are encoded but not encrypted and can be captured by anyone on the same network. Impact described in sources inclu...
CVE-2026-24455 Jinan USR IOT Technology Limited (PUSR) USR-W610 Cleartext Transmission of Sensitive Information
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-24455
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-24455 Jinan USR IOT Technology Limited (PUSR) USR-W610 Cleartext Transmission of Sensitive Information
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...