20 matches found
CVE-2026-41161
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time...
CVE-2026-41161
Summary: CVE-2026-41161 affects Sync-in Server before version 2.2.0. The /api/auth/login endpoint exposes a timing-based flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring response times. This is confirmed in the GitHub advisory and CVE descriptions, which...
@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +11 more potentially affected by CVE-2026-6270 via @fastify/middie (>=9.0.2 <=9.3.1)
@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-6270 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098213...
Timing Attack
Overview @sync-in/server is a The secure, open-source platform for file storage, sharing, collaboration, and syncing Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain valid usernames by measuring differences in response times from the...
PT-2026-37110
Name of the Vulnerable Software and Affected Versions Sync-in Server versions prior to 2.2.0 Description A logic flaw in the "/api/auth/login" endpoint allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This timing discrepancy occurs...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
GHSA-9JMQ-XGJM-P8C2 Sync-in Server has a stored cross-site scripting (XSS) vulnerability
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
CVE-2025-67438
A Stored Cross-Site Scripting XSS vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information,...
CVE-2025-67438
CVE-2025-67438 concerns Sync-in Server prior to v1.9.3, where an authenticated attacker can upload a crafted SVG to trigger a Stored Cross-Site Scripting (XSS) vulnerability. The malicious payload in the SVG may execute in a victim’s browser and exfiltrate sensitive data, including session cookie...
PT-2026-21020
Name of the Vulnerable Software and Affected Versions Sync-in Server versions prior to 1.9.3 Description A Stored Cross-Site Scripting XSS issue exists in Sync-in Server. An authenticated attacker can execute arbitrary JavaScript in a victim’s browser. This is achieved by uploading a crafted SVG...
EUVD-2025-30327
Malicious code in bioql PyPI...
CVE-2025-56869
Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in...
CVE-2025-56869
Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in...
CVE-2025-56869
Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in...
CVE-2025-56869
CVE-2025-56869 describes a directory traversal vulnerability in the Sync In server (up to version 1.1.1). The issue affects the files-management code paths: FilesManager.saveMultipart and FilesManager.compress in backend/src/applications/files/services/files-manager.service.ts, enabling authentic...
PT-2025-38583
Name of the Vulnerable Software and Affected Versions Sync In versions through 1.1.1 Description A directory traversal issue exists in Sync In server. Authenticated attackers can achieve read and write access to the system through the FilesManager.saveMultipart function located in...
CVE-2025-56869
Directory traversal vulnerability in Sync In server thru 1.1.1 allowing authenticated attackers to gain read and write access to the system via FilesManager.saveMultipart function in backend/src/applications/files/services/files-manager.service.ts, and FilesManager.compress function in...