Common Weakness Enumeration

CWE-208

Allowed

Observable Timing Discrepancy

Abstraction: Base · Status: Incomplete

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

305 vulnerabilities reference this CWE, most recent first.

CVE-2026-59218 (GCVE-0-2026-59218)

Vulnerability from cvelistv5 – Published: 2026-07-09 15:53 – Updated: 2026-07-09 17:50
VLAI
Title
Open WebUI: Account enumeration via observable login timing discrepancy
Summary
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
Impacted products
Vendor Product Version
open-webui open-webui Affected: < 0.10.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-59218",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T17:50:34.890081Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T17:50:41.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "open-webui",
          "vendor": "open-webui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.10.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T15:53:54.653Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rw5-9f7q-xj36",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-7rw5-9f7q-xj36"
        },
        {
          "name": "https://github.com/open-webui/open-webui/pull/26385",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/pull/26385"
        },
        {
          "name": "https://github.com/open-webui/open-webui/commit/993e74912199c66c522f08ec81abe31d76985e39",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/commit/993e74912199c66c522f08ec81abe31d76985e39"
        },
        {
          "name": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-webui/open-webui/releases/tag/v0.10.0"
        }
      ],
      "source": {
        "advisory": "GHSA-7rw5-9f7q-xj36",
        "discovery": "UNKNOWN"
      },
      "title": "Open WebUI: Account enumeration via observable login timing discrepancy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-59218",
    "datePublished": "2026-07-09T15:53:54.653Z",
    "dateReserved": "2026-07-02T21:05:02.924Z",
    "dateUpdated": "2026-07-09T17:50:41.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56764 (GCVE-0-2026-56764)

Vulnerability from cvelistv5 – Published: 2026-07-15 11:25 – Updated: 2026-07-15 11:25
VLAI
Title
Hono - Timing Attack in basicAuth and bearerAuth Middleware
Summary
Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements.
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
References
Impacted products
Vendor Product Version
Hono Hono Affected: 0 , < 4.11.10 (semver)
Unaffected: 4.11.10 (semver)
Create a notification for this product.
Date Public
2026-02-18 00:00
Credits
Exagone313
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/hono",
          "product": "Hono",
          "vendor": "Hono",
          "versions": [
            {
              "lessThan": "4.11.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.11.10",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:hono:hono:*:*:*:*:*:node.js:*:*",
                  "versionEndExcluding": "4.11.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Exagone313"
        }
      ],
      "datePublic": "2026-02-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Hono before 4.11.10 contains a timing attack vulnerability in the basicAuth and bearerAuth middlewares due to non-constant-time string comparison in the timingSafeEqual function. Attackers can exploit early termination of string equality checks to infer valid credentials through precise timing measurements."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-15T11:25:32.814Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-gq3j-xvxp-8hrf)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf"
        },
        {
          "name": "VulnCheck Advisory: Hono - Timing Attack in basicAuth and bearerAuth Middleware",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/hono-timing-attack-in-basicauth-and-bearerauth-middleware"
        }
      ],
      "title": "Hono - Timing Attack in basicAuth and bearerAuth Middleware",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-56764",
    "datePublished": "2026-07-15T11:25:32.814Z",
    "dateReserved": "2026-06-22T21:55:17.942Z",
    "dateUpdated": "2026-07-15T11:25:32.814Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54736 (GCVE-0-2026-54736)

Vulnerability from cvelistv5 – Published: 2026-07-10 21:02 – Updated: 2026-07-13 18:01
VLAI
Title
Phalcon: Non-constant-time HMAC verification in `Encryption\Crypt::decrypt` (timing side-channel)
Summary
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
  • CWE-347 - Improper Verification of Cryptographic Signature
Assigner
Impacted products
Vendor Product Version
phalcon cphalcon Affected: < 5.14.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54736",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-13T18:01:29.598956Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T18:01:40.822Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cphalcon",
          "vendor": "phalcon",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.14.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\\Encryption\\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first differing byte. This observable timing discrepancy can allow an attacker to recover a valid tag byte-by-byte and attach it to a chosen IV and ciphertext so that decrypt() accepts tampered encrypted content as authentic. This issue is fixed in version 5.14.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-10T21:02:53.873Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/phalcon/cphalcon/security/advisories/GHSA-8jqh-95g6-7jpj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/phalcon/cphalcon/security/advisories/GHSA-8jqh-95g6-7jpj"
        },
        {
          "name": "https://github.com/phalcon/cphalcon/issues/17090",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phalcon/cphalcon/issues/17090"
        },
        {
          "name": "https://github.com/phalcon/cphalcon/pull/17091",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phalcon/cphalcon/pull/17091"
        },
        {
          "name": "https://github.com/phalcon/cphalcon/commit/ad53ab1b2e7ec59b3af92b0b37b8aaa099011137",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phalcon/cphalcon/commit/ad53ab1b2e7ec59b3af92b0b37b8aaa099011137"
        },
        {
          "name": "https://github.com/phalcon/cphalcon/releases/tag/v5.14.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phalcon/cphalcon/releases/tag/v5.14.1"
        }
      ],
      "source": {
        "advisory": "GHSA-8jqh-95g6-7jpj",
        "discovery": "UNKNOWN"
      },
      "title": "Phalcon: Non-constant-time HMAC verification in `Encryption\\Crypt::decrypt` (timing side-channel)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54736",
    "datePublished": "2026-07-10T21:02:53.873Z",
    "dateReserved": "2026-06-15T23:07:33.233Z",
    "dateUpdated": "2026-07-13T18:01:40.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54411 (GCVE-0-2026-54411)

Vulnerability from cvelistv5 – Published: 2026-06-14 17:21 – Updated: 2026-06-15 16:59
VLAI
Summary
Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
Impacted products
Vendor Product Version
Linux-PAM Linux-PAM Affected: 0 , ≤ 1.7.2 (semver)
Create a notification for this product.
Credits
Xurshidbek Sobirjonov
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54411",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T16:59:25.401303Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T16:59:37.818Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/linux-pam/linux-pam",
          "defaultStatus": "unknown",
          "modules": [
            "pam_userdb"
          ],
          "product": "Linux-PAM",
          "programFiles": [
            "modules/pam_userdb/pam_userdb.c"
          ],
          "repo": "https://github.com/linux-pam/linux-pam",
          "vendor": "Linux-PAM",
          "versions": [
            {
              "lessThanOrEqual": "1.7.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Xurshidbek Sobirjonov"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLinux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module\u0027s plaintext-password comparison path in \u003ccode\u003emodules/pam_userdb/pam_userdb.c\u003c/code\u003e that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses \u003ccode\u003estrncmp()\u003c/code\u003e (or \u003ccode\u003estrncasecmp()\u003c/code\u003e when \u003ccode\u003ePAM_ICASE_ARG\u003c/code\u003e is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate\u0027s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with \u003ccode\u003ecrypt=none\u003c/code\u003e, with an unrecognized crypt method, or without a \u003ccode\u003ecrypt=\u003c/code\u003e argument, causing the module to store and compare credentials in plaintext.\u003c/p\u003e"
            }
          ],
          "value": "Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module\u0027s plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate\u0027s length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker who can repeatedly drive authentication through a service that invokes pam_userdb with plaintext-password configuration and without an artificial failure delay can measure response-timing differences to learn the correct password length and recover the plaintext password byte by byte. Recovery requires many measurements per character and is sensitive to scheduling and network jitter; recovery of one user\u0027s secret does not by itself yield access to other accounts. Practical exploitation is gated by an administrative misconfiguration (pam_userdb storing passwords in plaintext, reached when the module is configured with crypt=none, with an unknown crypt method, or with no crypt= option) and by the absence of failure-delay or rate-limiting in the calling service."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "DIFFUSE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/AU:N/V:D",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "An attacker repeatedly authenticates through a service that calls pam_userdb (plaintext mode) and measures the time the service takes to reject each candidate password to learn the password length and recover the password one byte at a time."
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-14T17:21:43.853Z",
        "orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
        "shortName": "TuranSec"
      },
      "references": [
        {
          "name": "Linux-PAM - upstream repository",
          "tags": [
            "product"
          ],
          "url": "https://github.com/linux-pam/linux-pam"
        },
        {
          "name": "Vulnerable plaintext-password comparison in pam_userdb.c (master)",
          "tags": [
            "product"
          ],
          "url": "https://github.com/linux-pam/linux-pam/blob/master/modules/pam_userdb/pam_userdb.c#L327"
        },
        {
          "name": "pam_consttime_streq helper available for the remediation",
          "tags": [
            "product"
          ],
          "url": "https://github.com/linux-pam/linux-pam/blob/master/libpam/include/pam_inline.h"
        },
        {
          "name": "CWE-208: Observable Timing Discrepancy",
          "tags": [
            "technical-description"
          ],
          "url": "https://cwe.mitre.org/data/definitions/208.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "x_assigner_notes": "The vulnerable comparison was verified by direct source inspection of modules/pam_userdb/pam_userdb.c at tag v1.7.2 and at master HEAD as of disclosure: lines 327-332 perform a length-equality early exit followed by strncmp() / strncasecmp(). Linux-PAM has previously addressed the same weakness class in a sibling module: NEWS for Release 1.7.0 records \"pam_unix: compare password hashes in constant time\", and Release 1.6.0 hardened pam_mkhomedir \"against timing attacks\". The pam_consttime_streq() helper used by those fixes lives in libpam/include/pam_inline.h, which pam_userdb.c already includes, so the remediation in pam_userdb is a drop-in replacement of the strncmp call. The v1.7.2 release notes do not list a pam_userdb hardening change. Exploitation is gated by (a) the administrator having configured pam_userdb with plaintext password storage (crypt=none, unknown crypt method, or no crypt= option), a discouraged but documented configuration; and (b) the calling service not applying an authentication-failure delay - both gates raise attack complexity and bound real-world impact, so CVSS is scored MEDIUM rather than HIGH consistent with prior CWE-208 timing-leak CVE scoring.",
      "x_author": "Xurshidbek Sobirjonov",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
    "assignerShortName": "TuranSec",
    "cveId": "CVE-2026-54411",
    "datePublished": "2026-06-14T17:21:43.853Z",
    "dateReserved": "2026-06-13T16:39:46.122Z",
    "dateUpdated": "2026-06-15T16:59:37.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48859 (GCVE-0-2026-48859)

Vulnerability from cvelistv5 – Published: 2026-06-10 14:35 – Updated: 2026-06-11 04:45
VLAI
Title
SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration
Summary
Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
EEF
Impacted products
Vendor Product Version
Erlang OTP Affected: 6.0 , < 6.0.1 (otp)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Erlang OTP Affected: 29.0 , < 29.0.2 (otp)
Affected: 032d1bc9491a3975c68faf9bc7776115d6ae3005 , < c342092ef4b369bb409d5b71ac8fd83bab74aedf (git)
    cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
Zhang Delong Jakub Witczak Ingela Anderton Andin Michał Wąsowski
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48859",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T16:19:16.914933Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T16:19:43.145Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssh_auth",
            "ssh_options"
          ],
          "packageName": "ssh",
          "packageURL": "pkg:otp/ssh?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp\u0026vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git",
          "product": "OTP",
          "programFiles": [
            "src/ssh_auth.erl",
            "src/ssh_options.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_auth:check_password/3"
            },
            {
              "name": "ssh_options:get_password_option/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "lessThan": "6.0.1",
              "status": "affected",
              "version": "6.0",
              "versionType": "otp"
            }
          ]
        },
        {
          "collectionURL": "https://github.com",
          "cpes": [
            "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unknown",
          "modules": [
            "ssh_auth",
            "ssh_options"
          ],
          "packageName": "erlang/otp",
          "packageURL": "pkg:github/erlang/otp",
          "product": "OTP",
          "programFiles": [
            "lib/ssh/src/ssh_auth.erl",
            "lib/ssh/src/ssh_options.erl"
          ],
          "programRoutines": [
            {
              "name": "ssh_auth:check_password/3"
            },
            {
              "name": "ssh_options:get_password_option/2"
            }
          ],
          "repo": "https://github.com/erlang/otp",
          "vendor": "Erlang",
          "versions": [
            {
              "lessThan": "29.0.2",
              "status": "affected",
              "version": "29.0",
              "versionType": "otp"
            },
            {
              "lessThan": "c342092ef4b369bb409d5b71ac8fd83bab74aedf",
              "status": "affected",
              "version": "032d1bc9491a3975c68faf9bc7776115d6ae3005",
              "versionType": "git"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The SSH daemon must be configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option for password authentication. Systems using the \u003ctt\u003epwdfun\u003c/tt\u003e option instead are not affected."
            }
          ],
          "value": "The SSH daemon must be configured with the user_passwords or password option for password authentication. Systems using the pwdfun option instead are not affected."
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "29.0.2",
                  "versionStartIncluding": "29.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Zhang Delong"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jakub Witczak"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Ingela Anderton Andin"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "Micha\u0142 W\u0105sowski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eObservable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\u003c/p\u003e\u003cp\u003eWhen the SSH daemon is configured with the \u003ctt\u003euser_passwords\u003c/tt\u003e or \u003ctt\u003epassword\u003c/tt\u003e option, \u003ctt\u003essh_auth:check_password/3\u003c/tt\u003e performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the \u003ctt\u003essh_options:get_password_option/2\u003c/tt\u003e path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\u003c/p\u003e\u003cp\u003eThe \u003ctt\u003euser_passwords\u003c/tt\u003e and \u003ctt\u003epassword\u003c/tt\u003e options are documented as intended for test purposes; the recommended alternative is \u003ctt\u003epwdfun\u003c/tt\u003e, which is not affected by this vulnerability.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/ssh/src/ssh_auth.erl\u003c/tt\u003e and \u003ctt\u003elib/ssh/src/ssh_options.erl\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1.\u003c/p\u003e"
            }
          ],
          "value": "Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication.\n\nWhen the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames.\n\nThe user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability.\n\nThis vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl.\n\nThis issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-116",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-116 Excavation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-11T04:45:32.938Z",
        "orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
        "shortName": "EEF"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "related"
          ],
          "url": "https://github.com/erlang/otp/security/advisories/GHSA-3w6p-vwhf-wvp4"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://cna.erlef.org/cves/CVE-2026-48859.html"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48859"
        },
        {
          "tags": [
            "x_version-scheme"
          ],
          "url": "https://www.erlang.org/doc/system/versions.html#order-of-versions"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/erlang/otp/commit/c342092ef4b369bb409d5b71ac8fd83bab74aedf"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "SSH server timing side-channel in ssh_auth:check_password/3 allows unauthenticated username enumeration",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use the \u003ctt\u003epwdfun\u003c/tt\u003e option instead of \u003ctt\u003euser_passwords\u003c/tt\u003e for password authentication. The \u003ctt\u003epwdfun\u003c/tt\u003e callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
            }
          ],
          "value": "Use the pwdfun option instead of user_passwords for password authentication. The pwdfun callback gives full control over timing behavior and is not affected by this vulnerability. Implementations should take care to execute in approximately constant time regardless of username validity."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
            }
          ],
          "value": "Restrict SSH port access to trusted networks only via firewall rules, reducing the set of potential attackers who can perform timing measurements."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
    "assignerShortName": "EEF",
    "cveId": "CVE-2026-48859",
    "datePublished": "2026-06-10T14:35:43.553Z",
    "dateReserved": "2026-05-25T20:44:10.697Z",
    "dateUpdated": "2026-06-11T04:45:32.938Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48166 (GCVE-0-2026-48166)

Vulnerability from cvelistv5 – Published: 2026-06-22 21:40 – Updated: 2026-06-23 12:29
VLAI
Title
Filament: Timing-based user enumeration on login page
Summary
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
References
Impacted products
Vendor Product Version
filamentphp filament Affected: >= 4.0.0, < 4.11.5
Affected: >= 5.0.0, < 5.6.5
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48166",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T12:28:19.870932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T12:29:33.902Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "filament",
          "vendor": "filamentphp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.11.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.6.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email. This vulnerability is fixed in 4.11.5 and 5.6.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-22T21:42:37.340Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-5w46-g9pq-wh6f"
        }
      ],
      "source": {
        "advisory": "GHSA-5w46-g9pq-wh6f",
        "discovery": "UNKNOWN"
      },
      "title": "Filament: Timing-based user enumeration on login page"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48166",
    "datePublished": "2026-06-22T21:40:01.897Z",
    "dateReserved": "2026-05-20T23:12:43.032Z",
    "dateUpdated": "2026-06-23T12:29:33.902Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-48011 (GCVE-0-2026-48011)

Vulnerability from cvelistv5 – Published: 2026-06-10 20:07 – Updated: 2026-06-11 14:26
VLAI
Title
Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames
Summary
Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
Impacted products
Vendor Product Version
shopware shopware Affected: >= 6.7.0.0, < 6.7.10.1
Affected: < 6.6.10.18
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48011",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T14:26:27.848867Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T14:26:36.286Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "shopware",
          "vendor": "shopware",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.7.0.0, \u003c 6.7.10.1"
            },
            {
              "status": "affected",
              "version": "\u003c 6.6.10.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T20:07:02.345Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7w52-7jvm-m9vw"
        },
        {
          "name": "https://github.com/shopware/shopware/releases/tag/v6.6.10.18",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/shopware/shopware/releases/tag/v6.6.10.18"
        },
        {
          "name": "https://github.com/shopware/shopware/releases/tag/v6.7.10.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/shopware/shopware/releases/tag/v6.7.10.1"
        }
      ],
      "source": {
        "advisory": "GHSA-7w52-7jvm-m9vw",
        "discovery": "UNKNOWN"
      },
      "title": "Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48011",
    "datePublished": "2026-06-10T20:07:02.345Z",
    "dateReserved": "2026-05-20T17:44:09.586Z",
    "dateUpdated": "2026-06-11T14:26:36.286Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47784 (GCVE-0-2026-47784)

Vulnerability from cvelistv5 – Published: 2026-05-20 05:45 – Updated: 2026-05-20 12:21
VLAI
Summary
In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
Impacted products
Vendor Product Version
memcached memcached Affected: 0 , < 1.6.42 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47784",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T12:20:56.239253Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T12:21:02.894Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "memcached",
          "vendor": "memcached",
          "versions": [
            {
              "lessThan": "1.6.42",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.42",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T05:45:37.864Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"
        },
        {
          "url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"
        },
        {
          "url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-47784",
    "datePublished": "2026-05-20T05:45:37.864Z",
    "dateReserved": "2026-05-20T05:45:37.209Z",
    "dateUpdated": "2026-05-20T12:21:02.894Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47783 (GCVE-0-2026-47783)

Vulnerability from cvelistv5 – Published: 2026-05-20 05:43 – Updated: 2026-07-15 00:48
VLAI
Summary
In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
Assigner
Impacted products
Vendor Product Version
memcached memcached Affected: 0 , < 1.6.42 (semver)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:1.6.23-7.el10_2.1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:1.6.9-7.el9_8.1 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47783",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T12:49:50.253452Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T12:49:58.195Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "packageName": "memcached",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:1.6.23-7.el10_2.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "memcached",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:1.6.9-7.el9_8.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "packageName": "memcached",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "packageName": "memcached",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "memcached",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-05-20T05:43:46.976Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in memcached. A remote attacker can exploit a timing side channel during Simple Authentication and Security Layer (SASL) password database authentication. This vulnerability allows an attacker to observe subtle timing differences, which could be used to enumerate valid usernames."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-208",
                "description": "Observable Timing Discrepancy",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T00:48:47.525Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-47783"
          },
          {
            "name": "RHBZ#2480089",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480089"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47783.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27842"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:27862"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:27842: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:27862: Red Hat Enterprise Linux AppStream (v. 9)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-05-20T07:00:55.885Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-05-20T05:43:46.976Z",
            "value": "Made public."
          }
        ],
        "title": "memcached: memcached: Username enumeration via timing side channel",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "memcached",
          "vendor": "memcached",
          "versions": [
            {
              "lessThan": "1.6.42",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.6.42",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208 Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T05:43:46.976Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"
        },
        {
          "url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"
        },
        {
          "url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"
        }
      ],
      "x_generator": {
        "engine": "CVE-Request-form 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2026-47783",
    "datePublished": "2026-05-20T05:43:46.976Z",
    "dateReserved": "2026-05-20T05:43:46.363Z",
    "dateUpdated": "2026-07-15T00:48:47.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47380 (GCVE-0-2026-47380)

Vulnerability from cvelistv5 – Published: 2026-06-23 20:33 – Updated: 2026-06-24 12:32
VLAI
Title
NocoDB: User Enumeration via Sign-In Timing
Summary
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-208 - Observable Timing Discrepancy
  • CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
Vendor Product Version
nocodb nocodb Affected: < 2026.04.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47380",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T12:29:58.244930Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T12:32:30.767Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nocodb",
          "vendor": "nocodb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.04.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T20:33:27.730Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-jr54-jwhj-55gp"
        }
      ],
      "source": {
        "advisory": "GHSA-jr54-jwhj-55gp",
        "discovery": "UNKNOWN"
      },
      "title": "NocoDB: User Enumeration via Sign-In Timing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47380",
    "datePublished": "2026-06-23T20:33:27.730Z",
    "dateReserved": "2026-05-19T19:22:45.728Z",
    "dateUpdated": "2026-06-24T12:32:30.767Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

No mitigation information available for this CWE.

CAPEC-462: Cross-Domain Search Timing

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

CAPEC-541: Application Fingerprinting

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

CAPEC-580: System Footprinting

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.