CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

275 matches found

CVE-2026-47386

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, two concurrent token-exchange requests using the same OAuth authorization code could each mint a distinct valid accesstoken, refreshtoken pair, breaking the single-use guarantee that PKCE relies on. This vulnerability ...

6.3CVSS5.9AI score0.00072EPSS

Exploits0References2Affected Software1

CVE•added 2026/06/12 8:59 a.m.•20 views

CVE-2026-50631

CVE-2026-50631 : A TOCTOU race condition in Apache CXF's AbstractOAuthDataProvider allows concurrent requests to reuse the same Refresh Token when recycleRefreshTokens is false, bypassing single-use semantics and generating multiple valid Access Tokens. This can enable token replay/abuse by multi...

7.4CVSS5.3AI score0.00294EPSS

Exploits0References2Affected Software1

EUVD•added 2026/06/12 8:59 a.m.•9 views

EUVD-2026-36399

A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or...

7.4CVSS5.2AI score0.00294EPSS

Exploits0References1

Github Security Blog•added 2026/06/05 3:25 p.m.•12 views

Omni has a TOCTOU race condition that allows multiple concurrent uses of a single-use SAML session token

Summary SAML.getSession internal/pkg/auth/interceptor/saml.go checks the Used flag on a SAMLAssertion resource and then marks it used in two separate state operations. Because the check and the update are not atomic, concurrent requests carrying the same saml-session token can both observe Used =...

5.4AI score0.00018EPSS

Exploits0References4Affected Software1

Positive Technologies•added 2026/06/05 12:0 a.m.•10 views

PT-2026-47084

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description A flaw in the token-exchange flow allows two concurrent requests using the same OAuth authorization code to each generate a distinct valid access token and refresh token pair. This occurs because...

6.3CVSS6AI score0.00072EPSS

Exploits0References5

CNNVD•added 2026/05/27 12:0 a.m.•6 views

free5GC 安全漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC prior to 4.2.2 contained security vulnerabilities. These vulnerabilities stemmed from the PUT processor in the BSF module, which allowed unsynchronized writes to the global Subscriptions mapping,...

6.5CVSS5.8AI score0.00268EPSS

Exploits1References4

Github Security Blog•added 2026/05/26 7:30 p.m.•15 views

Pterodactyl has a database resource limit bypass via race condition in Client API

Summary The Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Details Inside DatabaseController.php, the...

2.3CVSS5.9AI score0.00212EPSS

Exploits0References3Affected Software1

Snyk•added 2026/05/26 6:40 p.m.•7 views

Race Condition

Overview github.com/xyproto/algernon/engine is a Affected versions of this package are vulnerable to Race Condition. in the handle process due to the sync.RWMutex being released before L.Push and L.PCall execute. An attacker can cause Lua VM corruption or unpredictable server behavior by making...

8.2CVSS5.8AI score0.00182EPSS

Exploits0References2

NVD•added 2026/05/26 5:16 p.m.•16 views

CVE-2026-43981

Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push and L.PCall execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state...

8.2CVSS0.00182EPSS

Exploits0References2

CNNVD•added 2026/05/26 12:0 a.m.•10 views

algernon 竞争条件问题漏洞

Algernon is a web server developed by Alexander F. Rødseth. Versions of Algernon prior to 1.17.6 contained a race condition vulnerability. This vulnerability stemmed from the sync.RWMutex used in engine/luahandler.go to protect LoadCommonFunctions, which was released before L.Push and L.PCall...

8.2CVSS5.8AI score0.00182EPSS

Exploits0References2

Positive Technologies•added 2026/05/26 12:0 a.m.•11 views

PT-2026-43440

Name of the Vulnerable Software and Affected Versions Pterodactyl versions prior to 1.12.3 Description The Client API contains a logic flaw allowing users to bypass assigned limits for database allocations. This occurs because the database locking mechanism within the controllers is ineffective...

2.3CVSS5.9AI score0.00212EPSS

Exploits0References4

Tenable Nessus•added 2026/05/22 12:0 a.m.•7 views

Linux Distros Unpatched Vulnerability : CVE-2026-28379

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map...

6.5CVSS5.8AI score0.00262EPSS

Exploits0References3

OSV•added 2026/05/15 8:42 a.m.•3 views

BIT-GRAFANA-2026-28379 Viewer-triggered race condition in Grafana Live leads to complete server crash

A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error. This results in complete service unavailability requiring restart of the Grafana server...

6.5CVSS5.8AI score0.00262EPSS

Exploits0References2

EUVD•added 2026/05/13 9:32 p.m.•45 views

EUVD-2026-30139

6.5CVSS5.8AI score0.00262EPSS

Exploits0References2

NVD•added 2026/05/13 8:16 p.m.•13 views

CVE-2026-28379

6.5CVSS0.00262EPSS

Exploits0References1