Total
712 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47057 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerability exists in the "Forget your password" functionality. Differences in response times for existing and non-existing users, combined with a lack of request limiting, allow an attacker to determine the existence of usernames through a timing-based attack. MitigationPlease update to a version that addresses this timing vulnerability, where password reset responses are normalized to respond at the same time regardless of user existence. | |||||
| CVE-2025-9031 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| Observable Timing Discrepancy vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive Web allows Cross-Domain Search Timing.This issue affects DivvyDrive Web: from 4.8.2.2 before 4.8.2.15. | |||||
| CVE-2021-47664 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames. | |||||
| CVE-2024-48644 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Accounts enumeration vulnerability in the Login Component of Reolink Duo 2 WiFi Camera (Firmware Version v3.0.0.1889_23031701) allows remote attackers to determine valid user accounts via login attempts. This can lead to the enumeration of user accounts and potentially facilitate other attacks, such as brute-forcing of passwords. The vulnerability arises from the application responding differently to login attempts with valid and invalid usernames. | |||||
| CVE-2024-54454 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. An Observable Response Discrepancy vulnerability in the sendPasswordReinitLink action of the unlogged.do page allows remote attackers to test whether a username is valid or not. This allows confirmation of valid usernames. | |||||
| CVE-2025-54477 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| Improper handling of authentication requests lead to a user enumeration vector in the passkey authentication method. | |||||
| CVE-2024-30171 | 2026-04-15 | N/A | 5.9 MEDIUM | ||
| An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. | |||||
| CVE-2024-12663 | 2026-04-15 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-30312 | 2026-04-15 | N/A | 7.3 HIGH | ||
| An issue discovered in OpenWrt 18.06, 19.07, 21.02, 22.03, and beyond allows off-path attackers to hijack TCP sessions, which could lead to a denial of service, impersonating the client to the server (e.g., for access to files over FTP), and impersonating the server to the client (e.g., to deliver false information from a finance website). This occurs because nf_conntrack_tcp_no_window_check is true by default. | |||||
| CVE-2024-28885 | 2026-04-15 | N/A | 5.9 MEDIUM | ||
| Observable discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. | |||||
| CVE-2023-5410 | 2026-04-15 | N/A | 8.2 HIGH | ||
| A potential security vulnerability has been reported in the system BIOS of certain HP PC products, which might allow memory tampering. HP is releasing mitigation for the potential vulnerability. | |||||
| CVE-2024-41880 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| In veilid-core in Veilid before 0.3.4, the protocol's ping function can be misused in a way that decreases the effectiveness of safety and private routes. | |||||
| CVE-2025-23182 | 2026-04-15 | N/A | 4.3 MEDIUM | ||
| CWE-203: Observable Discrepancy | |||||
| CVE-2023-37482 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames. | |||||
| CVE-2025-24506 | 2026-04-15 | N/A | N/A | ||
| A specific authentication strategy allows to learn ids of PAM users associated with certain authentication types. | |||||
| CVE-2025-46804 | 2026-04-15 | N/A | 3.3 LOW | ||
| A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0. | |||||
| CVE-2020-10369 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, allow inferences about memory content via a "Spectra" attack. | |||||
| CVE-2024-40490 | 2026-04-15 | N/A | 7.5 HIGH | ||
| An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function. | |||||
| CVE-2020-10367 | 2026-04-15 | N/A | 5.5 MEDIUM | ||
| Certain Cypress (and Broadcom) Wireless Combo chips, when a January 2021 firmware update is not present, allow memory access via a "Spectra" attack. | |||||
| CVE-2025-6386 | 2026-04-15 | N/A | 7.5 HIGH | ||
| The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters. | |||||