Vulnerability Details CVE-2026-41161
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 15.4%
CVSS Severity
CVSS v3 Score 5.3
References
Products affected by CVE-2026-41161
-
cpe:2.3:a:sync-in:sync-in_server:1.1.0
-
cpe:2.3:a:sync-in:sync-in_server:1.1.1
-
cpe:2.3:a:sync-in:sync-in_server:1.10.0
-
cpe:2.3:a:sync-in:sync-in_server:1.10.1
-
cpe:2.3:a:sync-in:sync-in_server:1.11.0
-
cpe:2.3:a:sync-in:sync-in_server:1.2.0
-
cpe:2.3:a:sync-in:sync-in_server:1.2.1
-
cpe:2.3:a:sync-in:sync-in_server:1.2.2
-
cpe:2.3:a:sync-in:sync-in_server:1.3.0
-
cpe:2.3:a:sync-in:sync-in_server:1.3.1
-
cpe:2.3:a:sync-in:sync-in_server:1.3.2
-
cpe:2.3:a:sync-in:sync-in_server:1.3.8
-
cpe:2.3:a:sync-in:sync-in_server:1.3.9
-
cpe:2.3:a:sync-in:sync-in_server:1.4.0
-
cpe:2.3:a:sync-in:sync-in_server:1.5.0
-
cpe:2.3:a:sync-in:sync-in_server:1.5.1
-
cpe:2.3:a:sync-in:sync-in_server:1.5.2
-
cpe:2.3:a:sync-in:sync-in_server:1.6.0
-
cpe:2.3:a:sync-in:sync-in_server:1.6.1
-
cpe:2.3:a:sync-in:sync-in_server:1.7.0
-
cpe:2.3:a:sync-in:sync-in_server:1.8.0
-
cpe:2.3:a:sync-in:sync-in_server:1.8.1
-
cpe:2.3:a:sync-in:sync-in_server:1.9.0
-
cpe:2.3:a:sync-in:sync-in_server:1.9.1
-
cpe:2.3:a:sync-in:sync-in_server:1.9.2
-
cpe:2.3:a:sync-in:sync-in_server:1.9.3
-
cpe:2.3:a:sync-in:sync-in_server:1.9.4
-
cpe:2.3:a:sync-in:sync-in_server:1.9.5
-
cpe:2.3:a:sync-in:sync-in_server:1.9.6
-
cpe:2.3:a:sync-in:sync-in_server:2.0.0
-
cpe:2.3:a:sync-in:sync-in_server:2.1.0