3 matches found
CVE-2026-41161
Summary: CVE-2026-41161 affects Sync-in Server before version 2.2.0. The /api/auth/login endpoint exposes a timing-based flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring response times. This is confirmed in the GitHub advisory and CVE descriptions, which...
CVE-2025-56869
CVE-2025-56869 describes a directory traversal vulnerability in the Sync In server (up to version 1.1.1). The issue affects the files-management code paths: FilesManager.saveMultipart and FilesManager.compress in backend/src/applications/files/services/files-manager.service.ts, enabling authentic...
CVE-2025-67438
CVE-2025-67438 affects Sync-in Server prior to 1.9.3. A stored XSS flaw allows an authenticated attacker to upload a crafted SVG file containing a malicious payload, enabling execution of arbitrary JavaScript in a victim’s browser and potential exfiltration of sensitive data, including session co...