Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
WordPress Users Exposed through Login Timing Attack
GHSA-w6m9-39cv-2fwp
CVE-2026-40263
Summary
An attacker can determine if a WordPress username exists by sending requests to the login endpoint and measuring response times. This makes it easier to launch targeted attacks against valid accounts. WordPress administrators should implement constant-time authentication to prevent this vulnerability.
What to do
- Update github.com enchant97 to version 0.19.2-0.20260411145025-cf4c6f6acf70.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| go | github.com | enchant97 |
< 0.19.2-0.20260411145025-cf4c6f6acf70 Fix: upgrade to 0.19.2-0.20260411145025-cf4c6f6acf70
|
Original title
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immedia...
Original description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.
ghsa CVSS3.1
3.7
Vulnerability type
CWE-208
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 13 Apr 2026