Vulnerability Details CVE-2026-27480
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames, enabling targeted brute-force or credential-stuffing attacks. SWS checks whether a username exists before verifying the password, causing valid usernames to follow a slower code path (e.g., bcrypt hashing) while invalid usernames receive an immediate 401 response. This timing discrepancy allows attackers to enumerate valid accounts by measuring response-time differences. This issue has been fixed in version 2.41.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.8%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-27480
-
cpe:2.3:a:static-web-server:static_web_server:2.1.0
-
cpe:2.3:a:static-web-server:static_web_server:2.10.0
-
cpe:2.3:a:static-web-server:static_web_server:2.11.0
-
cpe:2.3:a:static-web-server:static_web_server:2.12.0
-
cpe:2.3:a:static-web-server:static_web_server:2.13.0
-
cpe:2.3:a:static-web-server:static_web_server:2.13.1
-
cpe:2.3:a:static-web-server:static_web_server:2.14.0
-
cpe:2.3:a:static-web-server:static_web_server:2.14.1
-
cpe:2.3:a:static-web-server:static_web_server:2.14.2
-
cpe:2.3:a:static-web-server:static_web_server:2.15.0
-
cpe:2.3:a:static-web-server:static_web_server:2.16.0
-
cpe:2.3:a:static-web-server:static_web_server:2.17.0
-
cpe:2.3:a:static-web-server:static_web_server:2.18.0
-
cpe:2.3:a:static-web-server:static_web_server:2.19.0
-
cpe:2.3:a:static-web-server:static_web_server:2.2.0
-
cpe:2.3:a:static-web-server:static_web_server:2.20.0
-
cpe:2.3:a:static-web-server:static_web_server:2.20.1
-
cpe:2.3:a:static-web-server:static_web_server:2.20.2
-
cpe:2.3:a:static-web-server:static_web_server:2.21.0
-
cpe:2.3:a:static-web-server:static_web_server:2.21.1
-
cpe:2.3:a:static-web-server:static_web_server:2.22.0
-
cpe:2.3:a:static-web-server:static_web_server:2.22.1
-
cpe:2.3:a:static-web-server:static_web_server:2.23.0
-
cpe:2.3:a:static-web-server:static_web_server:2.24.0
-
cpe:2.3:a:static-web-server:static_web_server:2.24.1
-
cpe:2.3:a:static-web-server:static_web_server:2.24.2
-
cpe:2.3:a:static-web-server:static_web_server:2.25.0
-
cpe:2.3:a:static-web-server:static_web_server:2.26.0
-
cpe:2.3:a:static-web-server:static_web_server:2.27.0
-
cpe:2.3:a:static-web-server:static_web_server:2.28.0
-
cpe:2.3:a:static-web-server:static_web_server:2.3.0
-
cpe:2.3:a:static-web-server:static_web_server:2.30.0
-
cpe:2.3:a:static-web-server:static_web_server:2.31.0
-
cpe:2.3:a:static-web-server:static_web_server:2.31.1
-
cpe:2.3:a:static-web-server:static_web_server:2.32.0
-
cpe:2.3:a:static-web-server:static_web_server:2.32.1
-
cpe:2.3:a:static-web-server:static_web_server:2.32.2
-
cpe:2.3:a:static-web-server:static_web_server:2.33.0
-
cpe:2.3:a:static-web-server:static_web_server:2.33.1
-
cpe:2.3:a:static-web-server:static_web_server:2.34.0
-
cpe:2.3:a:static-web-server:static_web_server:2.35.0
-
cpe:2.3:a:static-web-server:static_web_server:2.36.0
-
cpe:2.3:a:static-web-server:static_web_server:2.36.1
-
cpe:2.3:a:static-web-server:static_web_server:2.37.0
-
cpe:2.3:a:static-web-server:static_web_server:2.38.0
-
cpe:2.3:a:static-web-server:static_web_server:2.38.1
-
cpe:2.3:a:static-web-server:static_web_server:2.39.0
-
cpe:2.3:a:static-web-server:static_web_server:2.4.0
-
cpe:2.3:a:static-web-server:static_web_server:2.40.0
-
cpe:2.3:a:static-web-server:static_web_server:2.40.1
-
cpe:2.3:a:static-web-server:static_web_server:2.5.0
-
cpe:2.3:a:static-web-server:static_web_server:2.6.0
-
cpe:2.3:a:static-web-server:static_web_server:2.7.0
-
cpe:2.3:a:static-web-server:static_web_server:2.7.1
-
cpe:2.3:a:static-web-server:static_web_server:2.8.0
-
cpe:2.3:a:static-web-server:static_web_server:2.9.0