Sync-in Server has Username Enumeration via Timing Attack
The /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time.
Advisories for Npm/@Sync-in/Server package
2026
Sync-in Server has Username Enumeration via Timing Attack
The /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time.
Sync-in Server has a stored cross-site scripting (XSS) vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.