Search for packages
| purl | pkg:cargo/static-web-server@2.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-157z-e7ux-tfcg
Aliases: CVE-2026-27480 GHSA-qhp6-635j-x7r2 |
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-11T20:38:04.832395+00:00 | GHSA Importer | Affected by | VCID-157z-e7ux-tfcg | https://github.com/advisories/GHSA-qhp6-635j-x7r2 | 38.6.0 |