GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
101 advisories
Traefik: A timing side-channel vulnerability allows for valid username enumeration via BasicAuth middleware
Moderate
CVE-2026-41263
was published
for
github.com/traefik/traefik
(Go)
Apr 24, 2026
Kimai: Username enumeration via timing on X-AUTH-USER
Low
GHSA-jrc6-fmhw-fpq2
was published
for
kimai/kimai
(Composer)
Apr 17, 2026
Mojic: Observable Timing Discrepancy in HMAC Verification
Moderate
CVE-2026-41244
was published
for
mojic
(npm)
Apr 16, 2026
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Low
CVE-2026-33877
was published
for
apostrophe
(npm)
Apr 16, 2026
Sync-in Server has Username Enumeration via Timing Attack
Moderate
CVE-2026-41161
was published
for
@sync-in/server
(npm)
Apr 15, 2026
Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Low
CVE-2026-40263
was published
for
github.com/enchant97/note-mark/backend
(Go)
Apr 13, 2026
phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()
Low
CVE-2026-40194
was published
for
phpseclib/phpseclib
(Composer)
Apr 10, 2026
Parse Server has a login timing side-channel reveals user existence
Moderate
CVE-2026-39321
was published
for
parse-server
(npm)
Apr 8, 2026
OpenClaw: Shared-secret comparison call sites leaked length information through timing
Moderate
CVE-2026-41407
was published
for
openclaw
(npm)
Apr 7, 2026
FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel
Moderate
GHSA-7789-65hx-f26w
was published
for
github.com/gtsteffaniak/filebrowser/backend
(Go)
Mar 24, 2026
Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration
Moderate
CVE-2026-32595
was published
for
github.com/traefik/traefik
(Go)
Mar 20, 2026
h3 has an observable timing discrepancy in basic auth utils
Moderate
CVE-2026-33129
was published
for
h3
(npm)
Mar 18, 2026
OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check
Moderate
GHSA-h656-5vcf-cm23
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has non-constant-time token comparison in hooks authentication
High
CVE-2026-28464
was published
for
openclaw
(npm)
Mar 2, 2026
OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
Moderate
CVE-2026-28475
was published
for
openclaw
(npm)
Mar 2, 2026
Hono added timing comparison hardening in basicAuth and bearerAuth
Low
GHSA-gq3j-xvxp-8hrf
was published
for
hono
(npm)
Feb 19, 2026
ProTip!
Advisories are also available from the
GraphQL API