Search Vulnerabilities

OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret

Mojic: Observable Timing Discrepancy in HMAC Verification

4ga Boards: User Enumeration via Timing Side-Channel in Authentication Endpoint

Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel

ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint

Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks

phpseclib has a variable-time HMAC comparison in SSH2::get_binary_packet() using != instead of hash_equals()

Parse Server has a login timing side-channel reveals user existence

Traefik: BasicAuth Middleware Timing Attack Allows Username Enumeration

h3 has an observable timing discrepancy in basic auth utils

phpseclib's AES-CBC unpadding susceptible to padding oracle timing attack

Cleanuparr has Username Enumeration via Timing Attack

OpenClaw < 2026.2.13 - Timing Attack via Hook Token Comparison

OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication

Timing Side-Channel in AES-CCM Tag Verification in AWS-LC

Apache Shiro: Brute force attack possible to determine valid user names

Trilium Notes has a Timing Attack Vulnerability in /api/login/sync

PrestaShop has a time based enumeration in FO login form

Username enumeration through timing difference in mod_wsgi authentication handler