CVE-2026-27480

Name of the Vulnerable Software and Affected Versions Static Web Server versions 2.1.0 through 2.40.1

Description Static Web Server (SWS) has a timing-based username enumeration issue in Basic Authentication. The server checks if a username exists before verifying the password. Valid usernames trigger a slower code path, such as bcrypt hashing, while invalid usernames receive an immediate 401 response. This timing difference allows attackers to identify valid accounts by measuring response-time differences, enabling targeted brute-force or credential-stuffing attacks. The server validates the provided username before password verification. An attacker can distinguish between existing and non-existing accounts by analyzing response times to the authentication endpoint.

Recommendations Versions 2.1.0 through 2.40.1 should be updated to version 2.41.0 or later.