{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-07T02:23:11.125","vulnerabilities":[{"cve":{"id":"CVE-2026-27480","sourceIdentifier":"security-advisories@github.com","published":"2026-02-21T10:16:12.210","lastModified":"2026-02-24T16:55:37.307","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."},{"lang":"es","value":"Servidor Web Estático (SWS) es un servidor web listo para producción, adecuado para archivos web estáticos o activos. En las versiones 2.1.0 a la 2.40.1, una vulnerabilidad de enumeración de nombres de usuario basada en tiempo en la Autenticación Básica permite a los atacantes identificar usuarios válidos explotando respuestas tempranas para nombres de usuario inválidos, lo que permite ataques de fuerza bruta dirigidos o de relleno de credenciales. SWS verifica si un nombre de usuario existe antes de verificar la contraseña, haciendo que los nombres de usuario válidos sigan una ruta de código más lenta (por ejemplo, el hash bcrypt) mientras que los nombres de usuario inválidos reciben una respuesta 401 inmediata. Esta discrepancia de tiempo permite a los atacantes enumerar cuentas válidas midiendo las diferencias en el tiempo de respuesta. Este problema ha sido solucionado en la versión 2.41.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-204"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:static-web-server:static_web_server:*:*:*:*:*:rust:*:*","versionStartIncluding":"2.1.0","versionEndExcluding":"2.41.0","matchCriteriaId":"D0CB0D00-4F6E-4CBD-BC05-02533F489AE3"}]}]}],"references":[{"url":"https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}