5.3
CVE-2026-27480
- EPSS 0.35%
- Veröffentlicht 21.02.2026 09:14:30
- Zuletzt bearbeitet 24.02.2026 16:55:37
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Static-web-server ≫ Static Web Server SwPlatformrust Version >= 2.1.0 < 2.41.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.266 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-204 Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2
https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1