MEDIUM
mauriceboe
CVE published 2026-05-28
CVE-2026-45410
TREK collaborative travel planner versions prior to 3.0.18 contain a user enumeration vulnerability via timing side-channel. The login endpoint exhibits a measurable latency difference (~370 ms vs ~10 ms) based on whether a submitted email address exists in the database, caused by bcrypt password comparison being performed only for valid users. This ~14× timing discrepancy allows remote attackers to enume [truncated]