CWE-203: Observable Discrepancy — known CVE vulnerabilities
CVEs classified under CWE-203 (Observable Discrepancy), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2019-25337 — CVSS 9.8 (critical): OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the…
CVE-2026-23519 — CVSS 9.8 (critical): RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be…
CVE-2025-27667 — CVSS 9.8 (critical): Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Administrative User Email…
CVE-2024-25714 — CVSS 9.8 (critical): In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops…
CVE-2024-25191 — CVSS 9.8 (critical): php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a…
CVE-2024-25190 — CVSS 9.8 (critical): l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a…
CVE-2024-25189 — CVSS 9.8 (critical): libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a…
CVE-2024-23771 — CVSS 9.8 (critical): darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to…
CVE-2023-40756 — CVSS 9.8 (critical): User enumeration is found in PHPJabbers Callback Widget v1.0. This issue occurs during password recovery, where a difference in messages…
CVE-2022-23304 — CVSS 9.8 (critical): The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side-channel attacks as a result of…
CVE-2022-23303 — CVSS 9.8 (critical): The implementations of SAE in hostapd before 2.10 and wpa_supplicant before 2.10 are vulnerable to side channel attacks as a result of…
CVE-2019-10071 — CVSS 9.8 (critical): The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the…
CVE-2018-1000884 — CVSS 9.8 (critical): Vesta CP version Prior to commit f6f6f9cfbbf2979e301956d1c6ab5c44386822c0 -- any release prior to 0.9.8-18 contains a CWE-208 / Information…
CVE-2025-10890 — CVSS 9.1 (critical): Side-channel information leakage in V8 in Google Chrome prior to 140.0.7339.207 allowed a remote attacker to leak cross-origin data via a…
CVE-2023-26556 — CVSS 9.1 (critical): io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication…
CVE-2022-40895 — CVSS 9.1 (critical): In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to…
CVE-2026-41588 — CVSS 9.0 (critical): RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py —…
CVE-2021-1924 — CVSS 9.0 (critical): Information disclosure through timing and power side-channels during mod exponentiation for RSA-CRT in Snapdragon Auto, Snapdragon Compute…
CVE-2020-3509 — CVSS 8.6 (high): A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an…
CVE-2023-5410 — CVSS 8.2 (high): A potential security vulnerability has been reported in the system BIOS of certain HP PC products, which might allow memory tampering. HP…
CVE-2024-39830 — CVSS 8.1 (high): Mattermost versions 9.8.x <= 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5, when shared channels are enabled, fail to use…
CVE-2023-6258 — CVSS 8.1 (high): A security vulnerability has been identified in the pkcs11-provider, which is associated with Public-Key Cryptography Standards (PKCS#11)…
CVE-2019-18887 — CVSS 8.1 (high): An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner…
CVE-2019-9815 — CVSS 8.1 (high): If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS…
CVE-2023-25529 — CVSS 8.0 (high): NVIDIA DGX H100 BMC and DGX A100 BMC contains a vulnerability in the host KVM daemon, where an unauthenticated attacker may cause a leak of…
CVE-2024-43095 — CVSS 7.8 (high): In multiple locations, there is a possible way to obtain any system permission due to a logic error in the code. This could lead to local…
CVE-2023-21337 — CVSS 7.8 (high): In InputMethod, there is a possible way to determine whether an app is installed, without query permissions, due to side channel…
CVE-2023-21324 — CVSS 7.8 (high): In Package Installer, there is a possible way to determine whether an app is installed, without query permissions, due to side channel…
CVE-2023-21298 — CVSS 7.8 (high): In Slice, there is a possible disclosure of installed applications due to side channel information disclosure. This could lead to local…
CVE-2022-37459 — CVSS 7.8 (high): Ampere Altra devices before 1.08g and Ampere Altra Max devices before 2.05a allow attackers to control the predictions for return addresses…
CVE-2023-54357 — CVSS 7.5 (high): Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user…
CVE-2026-26315 — CVSS 7.5 (high): go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the…
CVE-2022-50800 — CVSS 7.5 (high): H3C SSL VPN contains a user enumeration vulnerability that allows attackers to identify valid usernames through the 'txtUsrName' POST…
CVE-2025-12888 — CVSS 7.5 (high): Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and…
CVE-2025-41252 — CVSS 7.5 (high): Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate…
CVE-2025-6386 — CVSS 7.5 (high): The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the…
CVE-2025-40732 — CVSS 7.5 (high): user enumeration vulnerability in Daily Expense Manager v1.0. To exploit this vulnerability a POST request must be sent using the name…
CVE-2024-13939 — CVSS 7.5 (high): String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret…
CVE-2025-1468 — CVSS 7.5 (high): An unauthenticated remote attacker can gain access to sensitive information including authentication information when using CODESYS OPC UA…
CVE-2024-41335 — CVSS 7.5 (high): Draytek devices Vigor 165/166 prior to v4.2.6 , Vigor 2620/LTE200 prior to v3.9.8.8, Vigor 2860/2925 prior to v3.9.7, Vigor 2862/2926 prior…
CVE-2025-21510 — CVSS 7.5 (high): Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are…
CVE-2024-54767 — CVSS 7.5 (high): An access control issue in the component /juis_boxinfo.xml of AVM FRITZ!Box 7530 AX v7.59 allows attackers to obtain sensitive information…
CVE-2018-9364 — CVSS 7.5 (high): In the LG LAF component, there is a special command that allowed modification of certain partitions. This could lead to bypass of secure…
CVE-2024-51739 — CVSS 7.5 (high): Combodo iTop is a simple, web based IT Service Management tool. Unauthenticated user can perform users enumeration, which can make it…
CVE-2024-40490 — CVSS 7.5 (high): An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot…
CVE-2024-39921 — CVSS 7.5 (high): Observable timing discrepancy issue exists in IPCOM EX2 Series V01L02NF0001 to V01L06NF0401, V01L20NF0001 to V01L20NF0401, V02L20NF0001 to…
CVE-2024-37880 — CVSS 7.5 (high): The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a…
CVE-2024-5124 — CVSS 7.5 (high): A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. The…
CVE-2022-45177 — CVSS 7.5 (high): An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the…