CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/12 6:30 p.m.•7 views

EUVD-2026-29518

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versio...

5.7AI score0.00365EPSS

Snyk•added 2026/05/12 5:22 p.m.•6 views

Timing Attack

Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack...

Snyk•added 2026/05/12 5:22 p.m.•7 views

Timing Attack

Overview org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many...

Snyk•added 2026/05/12 5:22 p.m.•8 views

Timing Attack

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many...

Snyk•added 2026/05/12 5:22 p.m.•5 views

Timing Attack

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret ...

Positive Technologies•added 2026/05/12 12:0 a.m.•8 views

PT-2026-40073

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.21 Apache Tomcat versions 10.1.0-M1 through 10.1.54 Apache Tomcat versions 9.0.0.M1 through 9.0.117 Apache Tomcat versions 8.5.0 through 8.5.100 Apache Tomcat versions 7.0.0 through 7.0.109 Apache...

9.8CVSS5.8AI score0.0078EPSS

Exploits2References55

ATTACKERKB•added 2026/04/28 6:10 p.m.•2 views

CVE-2026-41407

OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handli...

6.3CVSS5.2AI score0.00225EPSS

Exploits0References4

Github Security Blog•added 2026/04/28 12:31 a.m.•4 views

Spring Boot DevTools remote secret comparison is vulnerable to timing attacks

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code executio...

7.5CVSS6.4AI score0.00281EPSS

Exploits0References3Affected Software1

EUVD•added 2026/04/27 11:15 p.m.•2 views

EUVD-2026-25936

7.5CVSS6.2AI score0.00281EPSS

Exploits0References1

Snyk•added 2026/04/23 12:0 a.m.•3 views

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic like String.equals or ==. Standard string comparisons are not constant-time. They evaluate...

7.7CVSS5.5AI score0.00281EPSS

Snyk•added 2026/04/07 6:16 p.m.•3 views

Timing Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Timing Attack through the secret comparison process. An attacker can infer secret length information by measuring timing differences during comparison operations. Remediation Upgrade...

6.3CVSS5.8AI score0.00225EPSS

Github Security Blog•added 2026/04/07 6:16 p.m.•4 views

OpenClaw: Shared-secret comparison call sites leaked length information through timing

Summary Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences. Impact The affected paths exposed a...

6.3CVSS5.9AI score0.00225EPSS

Exploits0References5Affected Software1

OSV•added 2025/10/11 1:20 p.m.•3 views

OESA-2025-2395 ongres-scram security update

Scram is part of the family of Simple Authentication and Security Layer authentication mechanisms.It is described as part of RFC 5802 and RFC7677. This pachage is a Java implementation. Security Fixes: SCRAM Salted Challenge Response Authentication Mechanism is part of the family of Simple...

8.7CVSS7AI score0.00835EPSS

SUSE CVE•added 2025/09/23 11:23 p.m.•2 views

SUSE CVE-2025-59432

SCRAM Salted Challenge Response Authentication Mechanism is part of the family of Simple Authentication and Security Layer SASL, RFC 4422 authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals...

6.8CVSS7AI score0.00835EPSS

Exploits0References6

NVD•added 2025/09/22 8:15 p.m.•6 views

CVE-2025-59432

8.7CVSS0.00835EPSS

CVE•added 2025/09/22 7:22 p.m.•36 views

CVE-2025-59432

SCRAM timing attack (CVE-2025-59432) affects the SCRAM Java implementation prior to v3.2 due to using Arrays.equals to compare secret values, causing variable execution time. It can enable a timing side‑channel to infer authentication material. The issue is mitigated by using constant-time compar...

8.7CVSS6.6AI score0.00835EPSS