Advisories for Cargo/Static-Web-Server package

A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.

Symbolic links (symlinks) could be used to access files or directories outside the intended web root folder.

If directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like <img src=x onerror=alert(1)>.txt will allow JavaScript code execution in the context of the web server’s domain.