216.73.217.172

CVE-2026-41418

· Published 24/04/2026 19:17 · Modified 24/04/2026 19:17

Labels: CVE-2026-41418 2026-04-24CVE-2026-41418CWE-208[email protected]

Essential information

Published
24/04/2026 19:17
Modified
24/04/2026 19:17
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS metrics

Description

4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). When an invalid username/email is provided, the server responds immediately (~17ms average). When a valid username/email is provided with an incorrect password, the server first performs a bcrypt.compareSync() operation (~74ms average) before responding. This ~4.4× timing difference is trivially detectable even over a network — a single request suffices. This vulnerability is fixed in 3.3.5.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
4ga / boards cpe:2.3:a:4ga:boards:<3.3.5:*:*:*:*:*:*:*

References