CVE-2026-45410 Time-based user enumeration in TREK authentication endpoint

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

CVE-2026-32595 Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 comtain BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taki...

CVE-2026-25050 Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy

Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the NativeAuthenticationStrategy.authenticate method is vulnerable to a timing attack that allows attackers to enumerate valid usernames email addresses. In packages/core/src/config/auth/native-authentication-strategy.t...