Total
108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-23892 | 1 Octoprint | 1 Octoprint | 2026-02-02 | N/A | 5.9 MEDIUM |
| OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network's latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet. | |||||
| CVE-2025-22234 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
| The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. | |||||
| CVE-2026-23519 | 1 Rustcrypto | 1 Cmov | 2026-01-23 | N/A | 9.8 CRITICAL |
| RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. Prior to 0.4.4, the thumbv6m-none-eabi (Cortex M0, M0+ and M1) compiler emits non-constant time assembly when using cmovnz (portable version). This vulnerability is fixed in 0.4.4. | |||||
| CVE-2025-59432 | 2026-01-23 | N/A | N/A | ||
| SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer (SASL, RFC 4422) authentication mechanisms. Prior to version 3.2, a timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are impacted. This vulnerability has been patched in version 3.1 by replacing Arrays.equals with MessageDigest.isEqual, which ensures constant-time comparison. | |||||
| CVE-2025-27936 | 1 Mattermost | 2 Mattermost Server, Ms Teams | 2026-01-14 | N/A | 5.3 MEDIUM |
| Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison. | |||||
| CVE-2025-43754 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-12 | N/A | 5.3 MEDIUM |
| Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request. | |||||
| CVE-2025-52457 | 2025-11-18 | N/A | 5.7 MEDIUM | ||
| Observable Timing Discrepancy (CWE-208) in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a (distributed in 9.30.2881 (MR3)), 9.20 prior to vCR9.20.251028a (distributed in 9.20.3265 (MR5)), 9.10 prior to vCR9.10.251028a (distributed in 9.10.4135 (MR8)), all versions of 9.00 and prior. | |||||
| CVE-2024-39329 | 1 Djangoproject | 1 Django | 2025-11-04 | N/A | 5.3 MEDIUM |
| An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate() method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password. | |||||
| CVE-2024-36469 | 1 Zabbix | 1 Zabbix | 2025-11-03 | N/A | 3.1 LOW |
| Execution time for an unsuccessful login differs when using a non-existing username compared to using an existing one. | |||||
| CVE-2025-54764 | 1 Arm | 1 Mbed Tls | 2025-10-31 | N/A | 6.2 MEDIUM |
| Mbed TLS before 3.6.5 allows a local timing attack against certain RSA operations, and direct calls to mbedtls_mpi_mod_inv or mbedtls_mpi_gcd. | |||||
| CVE-2025-59438 | 1 Arm | 1 Mbed Tls | 2025-10-23 | N/A | 5.3 MEDIUM |
| Mbed TLS through 3.6.4 has an Observable Timing Discrepancy. | |||||
| CVE-2025-54499 | 1 Mattermost | 1 Mattermost Server | 2025-10-21 | N/A | 3.1 LOW |
| Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attackers to exploit timing oracles to perform byte-by-byte brute force attacks via response time analysis on Cloud API keys and OAuth client secrets | |||||
| CVE-2024-7010 | 1 Mudler | 1 Localai | 2025-10-15 | N/A | 5.9 MEDIUM |
| mudler/localai version 2.17.1 is vulnerable to a Timing Attack. This type of side-channel attack allows an attacker to compromise the cryptosystem by analyzing the time taken to execute cryptographic algorithms. Specifically, in the context of password handling, an attacker can determine valid login credentials based on the server's response time, potentially leading to unauthorized access. | |||||
| CVE-2025-0693 | 2025-10-14 | N/A | 5.3 MEDIUM | ||
| Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account. | |||||
| CVE-2024-42512 | 1 Opcfoundation | 1 Ua .net Standard Stack | 2025-09-29 | N/A | 8.6 HIGH |
| Vulnerability in the OPC UA .NET Standard Stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled. | |||||
| CVE-2025-9031 | 2025-09-24 | N/A | 4.3 MEDIUM | ||
| Observable Timing Discrepancy vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive Web allows Cross-Domain Search Timing.This issue affects DivvyDrive Web: from 4.8.2.2 before 4.8.2.15. | |||||
| CVE-2025-59350 | 1 Linuxfoundation | 1 Dragonfly | 2025-09-18 | N/A | 5.3 MEDIUM |
| Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. This vulnerability is fixed in 2.1.0. | |||||
| CVE-2025-8774 | 1 Boom-core | 1 Risvc-boom | 2025-09-16 | 1.0 LOW | 2.5 LOW |
| A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component L1 Data Cache Handler. The manipulation leads to observable timing discrepancy. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-59058 | 2025-09-15 | N/A | 5.9 MEDIUM | ||
| httpsig-rs is a Rust implementation of IETF RFC 9421 http message signatures. Prior to version 0.0.19, the HMAC signature comparison is not timing-safe. This makes anyone who uses HS256 signature verification vulnerable to a timing attack that allows the attacker to forge a signature. Version 0.0.19 fixes the issue. | |||||
| CVE-2025-7071 | 2025-08-29 | N/A | N/A | ||
| Padding oracle attack vulnerability in Oberon microsystem AG’s ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations. | |||||