Lucene search
K

285 matches found

Vulnrichment
Vulnrichment
added 2026/03/20 9:35 p.m.3 views

CVE-2026-32887 Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent...

7.4CVSS5.8AI score0.0027EPSS
Exploits1References1
OSV
OSV
added 2026/03/20 8:34 p.m.30 views

GHSA-38F7-945M-QR2G Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Versions - effect: 3.19.15 - @effect/rpc: 0.72.1 - @effect/platform: 0.94.2 - Node.js: v22.20.0 - Vercel runtime with Fluid compute - Next.js: 16 App Router - @clerk/nextjs: 6.x Root cause Effect's MixedScheduler batches fiber continuations and drains them inside a single microtask or timer...

7.4CVSS6.1AI score0.0027EPSS
Exploits1References3
OSV
OSV
added 2026/03/20 11:37 a.m.5 views

BIT-PARSE-2026-32943 Parse Server has a password reset token single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by...

3.1CVSS5.7AI score0.00207EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.8 views

PT-2026-26764

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.0 Description The software is susceptible to a denial-of-service DoS condition triggered by unbounded image decoding and resizing during preview generation. An attacker can exploit this by providing a highly...

6.5CVSS5.8AI score0.00318EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/18 11:49 p.m.6 views

CVE-2026-32700

A flaw was found in Devise, an authentication solution for Rails. A race condition in the Confirmable module allows a remote attacker to confirm an email address they do not own. By sending two concurrent email change requests, an attacker can desynchronize the confirmation token and unconfirmed...

6.8CVSS5.8AI score0.00275EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/03/18 9:46 p.m.25 views

CVE-2026-32943 Parse Server has a password reset token single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

2.3CVSS0.00207EPSS
Exploits0References3
OSV
OSV
added 2026/03/17 5:40 p.m.8 views

GHSA-R3XQ-68WH-GWVH Parse Server has a password reset token single-use bypass via concurrent requests

Impact The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the...

2.3CVSS5.8AI score0.00207EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/17 5:40 p.m.21 views

Parse Server has a password reset token single-use bypass via concurrent requests

Impact The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the...

3.1CVSS5.8AI score0.00207EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/17 5:24 p.m.5 views

GHSA-57HQ-95W6-V4FC Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

6CVSS5.8AI score0.00275EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.10 views

PT-2026-26160

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

3.1CVSS5.8AI score0.00207EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/17 12:0 a.m.7 views

PT-2026-25981

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

6CVSS5.8AI score0.00275EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/03/12 10:12 p.m.5 views

CVE-2026-2581

A flaw was found in Undici. When the interceptors.deduplicate feature is enabled, response data for deduplicated requests can accumulate in memory. A remote attacker, by sending large or chunked responses and concurrent identical requests from an untrusted endpoint, can exploit this uncontrolled...

5.9CVSS5.7AI score0.00566EPSS
Exploits0References6
Snyk
Snyk
added 2026/03/11 12:13 a.m.5 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the promotion and coupon usage limit enforcement process. An attacker can redeem limited-use...

8.8CVSS5.8AI score0.00179EPSS
Exploits0References3
NVD
NVD
added 2026/03/10 10:16 p.m.7 views

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

8.2CVSS0.00179EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/10 9:32 p.m.34 views

CVE-2026-31824 Sylius has a Promotion Usage Limit Bypass via Race Condition

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

8.2CVSS0.00179EPSS
Exploits0References1
OSV
OSV
added 2026/03/06 12:41 p.m.5 views

OESA-2026-1511 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:41 p.m.7 views

OESA-2026-1509 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:41 p.m.5 views

OESA-2026-1508 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/03 3:16 p.m.3 views

DEBIAN-CVE-2026-25674

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's...

3.7CVSS5.1AI score0.00341EPSS
Exploits0References1
OSV
OSV
added 2026/03/03 2:28 p.m.2 views

CVE-2026-25674 Potential incorrect permissions on newly created file system objects

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References7
Rows per page
Query Builder