Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

166 advisories

Loading
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint Low
CVE-2026-33877 was published for apostrophe (npm) Apr 16, 2026
offset Credited to offset
Kimai: Username enumeration via timing on X-AUTH-USER Low
GHSA-jrc6-fmhw-fpq2 was published for kimai/kimai (Composer) Apr 17, 2026
melnicek Credited to melnicek
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel Low
CVE-2026-40263 was published for github.com/enchant97/note-mark/backend (Go) Apr 13, 2026
QiaoNPC Credited to QiaoNPC, Across-Verticals-Malaysia, and enchant97 Across-Verticals-Malaysia Across-Verticals-Malaysia
enchant97 enchant97
Mojic: Observable Timing Discrepancy in HMAC Verification Moderate
CVE-2026-41244 was published for mojic (npm) Apr 16, 2026
notamitgamer2 Credited to notamitgamer2 and notamitgamer notamitgamer notamitgamer
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider Low
CVE-2026-22746 was published for org.springframework.security:spring-security-core (Maven) Apr 22, 2026
OpenClaw: Shared-secret comparison call sites leaked length information through timing Moderate
CVE-2026-41407 was published for openclaw (npm) Apr 7, 2026
kexinoh Credited to kexinoh
Spring Boot DevTools remote secret comparison is vulnerable to timing attacks High
CVE-2026-40972 was published for org.springframework.boot:spring-boot-devtools (Maven) Apr 28, 2026
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware Moderate
CVE-2026-41263 was published for github.com/traefik/traefik (Go) Apr 24, 2026
kodareef5 Credited to kodareef5
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening Critical
GHSA-9h64-2846-7x7f was published for github.com/getaxonflow/axonflow (Go) May 6, 2026
Kanidm has non-constant-time comparison of OAuth2 client_secret Low
GHSA-53hj-r94p-8c8f was published for kanidm (Rust) May 6, 2026
mbarbero Credited to mbarbero
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening High
GHSA-j7h9-2jh7-g967 was published for mcp-ssh-tool (npm) May 7, 2026
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals() Low
CVE-2026-40194 was published for phpseclib/phpseclib (Composer) Apr 10, 2026
kodareef5 Credited to kodareef5
phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack High
CVE-2026-32935 was published for phpseclib/phpseclib (Composer) Mar 19, 2026
Sync-in Server has Username Enumeration via Timing Attack Moderate
CVE-2026-41161 was published for @sync-in/server (npm) Apr 15, 2026
ppfeister Credited to ppfeister and 7185 7185 7185
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay High
CVE-2026-42602 was published for github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension (Go) May 6, 2026
caitlinhalla Credited to caitlinhalla
pyquorum: Timing side‑channel in mul_mod Moderate
CVE-2026-44368 was published for pyquorum (pip) May 6, 2026
Apache Tomcat - AJP secret compared in non-constant time Low
CVE-2026-43514 was published for org.apache.tomcat.embed:tomcat-embed-core (Maven) May 12, 2026
NocoDB: User Enumeration via Sign-In Timing Low
CVE-2026-47380 was published for nocodb (npm) Jun 5, 2026
AndyAnh174 Credited to AndyAnh174
Django has Observable Timing Discrepancy Low
CVE-2025-13473 was published for Django (pip) Feb 3, 2026
ProTip! Advisories are also available from the GraphQL API