CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a ?password= query parameter, comparing the supplied...

CVE-2026-45327

TinyIce (Go) versions 0.8.95–2.4.1 expose a missing authentication on the WebRTC ingest endpoint POST /webrtc/source-offer?mount=, enabling unauthenticated stream injection. The issue is fixed in v2.5.0 by requiring either HTTP Basic auth or a ?password= query parameter, verifying the supplied pa...

CVE-2026-40263

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...

CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...

CVE-2026-40263

Note Mark: Timing-based username enumeration vulnerability in login endpoint. Versions

Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

Summary A timing side-channel in the login endpoint allows unauthenticated attackers to determine whether a username exists by measuring response time differences. Requests for valid usernames take noticeably longer because the server performs bcrypt password verification, while requests for...