1240 matches found
GHSA-GQ3W-7JJ3-X7GR MLflow Use of Default Password Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...
Static Web Server 安全漏洞
Static Web Server is a static web server developed by the German company Static Web Server. Versions 2.1.0 to 2.40.1 of Static Web Server contain security vulnerabilities. These vulnerabilities stem from time-based username enumeration in basic authentication, which may lead to brute-force attack...
CVE-2026-2635
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...
CVE-2026-2635
MLflow before version 3.8.0 is affected by an authentication bypass (CVE-2026-2635) due to default credentials in basic_auth.ini, allowing remote, unauthenticated attackers to bypass authentication and execute arbitrary code with administrator privileges. Root cause: hard-coded default credential...
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability
MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The fi...
GHSA-QHP6-635J-X7R2 Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...
CVE-2026-24455
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-24455 Jinan USR IOT Technology Limited (PUSR) USR-W610 Cleartext Transmission of Sensitive Information
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-24455
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2026-24455
CVE-2026-24455 affects the embedded web interface of the Jinan USR IOT USR-W610. The interface does not support HTTPS/TLS and relies on HTTP Basic Authentication, meaning credentials are encoded but not encrypted and can be captured by anyone on the same network. Impact described in sources inclu...
CVE-2026-24455 Jinan USR IOT Technology Limited (PUSR) USR-W610 Cleartext Transmission of Sensitive Information
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
Jinan USR IOT USR-W610 安全漏洞
Jinan USR IOT USR-W610 is a serial-to-Ethernet converter developed by Jinan USR IOT. There is a security vulnerability in the Jinan USR IOT USR-W610. This vulnerability stems from the fact that the embedded Web interface of the device does not support HTTPS/TLS authentication and uses HTTP basic...
PT-2026-21227
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...
PT-2026-21333
Name of the Vulnerable Software and Affected Versions Static Web Server versions 2.1.0 through 2.40.1 Description Static Web Server SWS has a timing-based username enumeration issue in Basic Authentication. The server checks if a username exists before verifying the password. Valid usernames...
Hono added timing comparison hardening in basicAuth and bearerAuth
Summary The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal string equality === when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing...
MLflow Use of Default Password Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
DEBIAN-CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...