SUSE CVE-2025-6004

Vault and Vault Enterprise's “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

SUSE CVE-2025-6011

A timing side channel in Vault and Vault Enterprise's “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault's Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise...

CVE-2026-5548

A vulnerability was found in Tenda AC10 16.03.10.10multiTDE01. Affected by this vulnerability is the function fromSysToolChangePwd of the file /bin/httpd. Performing a manipulation of the argument sys.userpass results in stack-based buffer overflow. The attack can be initiated remotely...

Tenda AC10 安全漏洞

The Tenda AC10 is a wireless router produced by the Chinese company Tenda. There is a security vulnerability in the version 16.03.10.10multiTDE01 of the Tenda AC10. This vulnerability stems from incorrect handling of the parameter sys.userpass in the fromSysToolChangePwd function located in the...

CVE-2026-1972

A vulnerability was found in Edimax BR-6208AC 21.02. The affected element is the function authcheckuserpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used...

EUVD-2025-23396

Malicious code in bioql PyPI...

EUVD-2025-23395

Malicious code in bioql PyPI...

Timing Side-channel Attacks

github.com/hashicorp/vault is vulnerable to Timing side-channel Attacks. The vulnerability is due to differences in response timing in the Userpass auth method, which allows an attacker to distinguish between valid and invalid usernames and potentially enumerate existing accounts...

Authentication Bypass

github.com/hashicorp/vault is vulnerable to Authentication Bypass. The vulnerability is due to improper enforcement of the user lockout feature due to flaws in the Userpass and LDAP authentication methods that allow lockout bypass...

SUSE CVE-2025-54998

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by...

GO-2025-3854 OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao

OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

Authentication Bypass

github.com/openbao/openbao is vulnerable to Authentication bypass. The vulnerability is due to improper aliasing between pre-flight and full login request user entity alias attributions, which allows an attacker to bypass the automatic user lockout mechanisms in the Userpass or LDAP authenticatio...

CVE-2025-54999

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

CVE-2025-54998

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication process in the Userpass or LDAP systems. An attacker can circumvent intended user lockout protections by exploiting differences in user entity alias attribution between pre-flight and full login...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication process in the Userpass or LDAP systems. An attacker can circumvent intended user lockout protections by exploiting differences in user entity alias attribution between pre-flight and full login...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication process in the Userpass or LDAP systems. An attacker can circumvent intended user lockout protections by exploiting differences in user entity alias attribution between pre-flight and full login...

Brute Force

Overview Affected versions of this package are vulnerable to Brute Force via the authentication process in the Userpass or LDAP systems. An attacker can circumvent intended user lockout protections by exploiting differences in user entity alias attribution between pre-flight and full login...

CVE-2025-54999 OpenBao: Timing Side-Channel in Userpass Auth Method

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

CVE-2025-54998

CVE-2025-54998 affects OpenBao versions 0.1.0–2.3.1, where an aliasing mismatch between pre-flight and full login user entity attributes allowed bypass of automatic user lockout in Userpass/LDAP auth. The issue is fixed in version 2.3.2. Remediation: upgrade to 2.3.2; as a workaround, apply rate-...