GHSA-53HJ-R94P-8C8F Kanidm has non-constant-time comparison of OAuth2 client_secret

Summary The kanidmd OAuth2 token-exchange /oauth2/token and token-introspection /oauth2/token/introspect endpoints compare the supplied clientsecret against the stored secret using Rust's PartialEq on String, which short-circuits on the first mismatching byte. This produces an observable timing...

CVE-2026-28360

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3...

GHSA-MPP2-X7WV-38HV NocoDB has Plaintext Storage of Shared View Passwords

Summary Shared view passwords were stored in plaintext in the database and compared using direct string equality. Details The password column in ncviews stored unhashed passwords. Verification used !== comparison across public-datas.service.ts, public-metas.service.ts, and...

USN-7901-1: CRaC JDK 21 vulnerabilities

Jinfeng Guo discovered that the Security component of CRaC JDK 21 did not correctly handle certain representations of encoded strings. An unauthenticated remote attacker could possibly use this issue to modify files or leak sensitive information. CVE-2025-53057 Darius Bohni discovered that the JA...

[SECURITY] [DSA 6039-1] openjdk-25 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6039-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff October 26, 2025 https://www.debian.org/security/faq -...

Debian dsa-6039 : openjdk-25-dbg - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6039 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6039-1 [email protected] https://www.debian.org/securit...

Debian dsa-6037 : openjdk-21-dbg - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6037 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6037-1 [email protected] https://www.debian.org/securit...

Cross site request forgery (csrf)

Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator ==, which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by...