Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for static_web_server by static-web-server
CVE-2026-27480 (GCVE-0-2026-27480)
Vulnerability from nvd – Published: 2026-02-21 09:14 – Updated: 2026-02-24 18:13
VLAI
Title
Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Summary
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/static-web-server/static-web-s… | x_refsource_CONFIRM |
| https://github.com/static-web-server/static-web-s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| static-web-server | static-web-server |
Affected:
>= 2.1.0, < 2.41.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27480",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T18:13:36.026175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T18:13:51.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "static-web-server",
"vendor": "static-web-server",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T09:14:30.376Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"
},
{
"name": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"
}
],
"source": {
"advisory": "GHSA-qhp6-635j-x7r2",
"discovery": "UNKNOWN"
},
"title": "Static Web Server: Timing-Based Username Enumeration in Basic Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27480",
"datePublished": "2026-02-21T09:14:30.376Z",
"dateReserved": "2026-02-19T19:46:03.540Z",
"dateUpdated": "2026-02-24T18:13:51.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67487 (GCVE-0-2025-67487)
Vulnerability from nvd – Published: 2025-12-09 03:35 – Updated: 2025-12-09 16:02
VLAI
Title
Static Web Server is vulnerable to symbolic link Path Traversal
Summary
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/static-web-server/static-web-s… | x_refsource_CONFIRM |
| https://github.com/static-web-server/static-web-s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| static-web-server | static-web-server |
Affected:
< 2.40.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67487",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T14:23:20.676609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:02:20.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "static-web-server",
"vendor": "static-web-server",
"versions": [
{
"status": "affected",
"version": "\u003c 2.40.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server\u2019s root directory. Therefore, if a malicious actor gains access to the web server\u2019s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T03:35:58.257Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm"
},
{
"name": "https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2"
}
],
"source": {
"advisory": "GHSA-459f-x8vq-xjjm",
"discovery": "UNKNOWN"
},
"title": "Static Web Server is vulnerable to symbolic link Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67487",
"datePublished": "2025-12-09T03:35:58.257Z",
"dateReserved": "2025-12-08T18:02:08.846Z",
"dateUpdated": "2025-12-09T16:02:20.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27480 (GCVE-0-2026-27480)
Vulnerability from cvelistv5 – Published: 2026-02-21 09:14 – Updated: 2026-02-24 18:13
VLAI
Title
Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Summary
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-204 - Observable Response Discrepancy
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/static-web-server/static-web-s… | x_refsource_CONFIRM |
| https://github.com/static-web-server/static-web-s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| static-web-server | static-web-server |
Affected:
>= 2.1.0, < 2.41.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27480",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T18:13:36.026175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T18:13:51.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "static-web-server",
"vendor": "static-web-server",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.41.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T09:14:30.376Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2"
},
{
"name": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1"
}
],
"source": {
"advisory": "GHSA-qhp6-635j-x7r2",
"discovery": "UNKNOWN"
},
"title": "Static Web Server: Timing-Based Username Enumeration in Basic Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27480",
"datePublished": "2026-02-21T09:14:30.376Z",
"dateReserved": "2026-02-19T19:46:03.540Z",
"dateUpdated": "2026-02-24T18:13:51.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67487 (GCVE-0-2025-67487)
Vulnerability from cvelistv5 – Published: 2025-12-09 03:35 – Updated: 2025-12-09 16:02
VLAI
Title
Static Web Server is vulnerable to symbolic link Path Traversal
Summary
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server’s root directory. Therefore, if a malicious actor gains access to the web server’s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/static-web-server/static-web-s… | x_refsource_CONFIRM |
| https://github.com/static-web-server/static-web-s… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| static-web-server | static-web-server |
Affected:
< 2.40.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67487",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T14:23:20.676609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:02:20.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "static-web-server",
"vendor": "static-web-server",
"versions": [
{
"status": "affected",
"version": "\u003c 2.40.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. Versions 2.40.0 and below contain symbolic links (symlinks) which can be used to access files or directories outside the intended web root folder. SWS generally does not prevent symlinks from escaping the web server\u2019s root directory. Therefore, if a malicious actor gains access to the web server\u2019s root directory, they could create symlinks to access other files outside the designated web root folder either by URL or via the directory listing. This issue is fixed in version 2.40.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T03:35:58.257Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-459f-x8vq-xjjm"
},
{
"name": "https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/static-web-server/static-web-server/commit/308f0d26ceb9c2c8bd219315d0f53914763357f2"
}
],
"source": {
"advisory": "GHSA-459f-x8vq-xjjm",
"discovery": "UNKNOWN"
},
"title": "Static Web Server is vulnerable to symbolic link Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67487",
"datePublished": "2025-12-09T03:35:58.257Z",
"dateReserved": "2025-12-08T18:02:08.846Z",
"dateUpdated": "2025-12-09T16:02:20.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}