CVE-2026-46416 Microsoft UFO shared WebSocket handler state causes cross-client response hijacking

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in...

CVE-2026-33544 Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent...

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Summary All three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider...

CVE-2026-34363

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

GHSA-H45M-MGCP-Q388 openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart

Severity: HIGH Summary The TOTP brute-force rate limiter in opensslencryptserver/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdictlist as a class variable. Affected Code python class TOTPRateLimiter: def initself, ...: self.attempts: Dictstr, Listdatetime = defaultdictlist...

CVE-2026-34363

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

CVE-2026-34363

The CVE entry maps to a Parse Server LiveQuery vulnerability (prote cted fields/afterEvent triggers) where multiple subscribers sharing a class could see leaked or incomplete data due to in-place edits of shared mutable objects by the sensitive data filter. The root cause is shared mutable state ...

CVE-2026-34363 Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects...

OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling

Summary An unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic fatal error: concurrent map writes and process termination. This...

CVE-2026-24040 jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. ...

GHSA-CJW8-79X6-5CJ4 jsPDF has Shared State Race Condition in addJS Plugin

Impact The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the...

Espressif ESP-IDF 安全漏洞

Espressif ESP-IDF is an IoT development framework from China Loxin Espressif. A security vulnerability exists in Espressif ESP-IDF versions prior to 1.1.0, which stems from a USB event callback and user code sharing state without locking, which could lead to a double release...

Race Condition

com.okta.sdk, okta-sdk-api is vulnerable to a Race Condition. The vulnerability is due to concurrent use of the ApiClient class, where shared request state can cause response headers or status codes from one request to affect another, potentially leading to incorrect or unsafe API responses...

CVE-2025-39834 net/mlx5: HWS, Fix memory leak in hws_action_get_shared_stc_nic error flow

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: HWS, Fix memory leak in hwsactiongetsharedstcnic error flow When an invalid stctype is provided, the function allocates memory for sharedstc but jumps to unlockandout without freeing it, causing a memory leak. Fix by...

Improper Preservation of Consistency Between Independent Representations of Shared State

Overview Affected versions of this package are vulnerable to Improper Preservation of Consistency Between Independent Representations of Shared State which can result in two different OpenFlowNodeIds being assigned to the same SFF by different plugins. An attacker can trigger such a name conflict...

Mattermost Mobile Apps Security Vulnerability

Mattermost Mobile Apps is a messaging mobile application from Mattermost USA. A security vulnerability exists in Mattermost Mobile Apps version 2.16.0 and earlier, which stems from a failure to prevent misuse of globally shared MathJax state, allowing an attacker to change the content of a LateX...

Improper Preservation of Consistency Between Independent Representations of Shared State

Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Improper Preservation of Consistency Between Independent Representations of Shared State due to the improper handling of the X-HTTP-Method-Override...

CVE-2022-22234

An Improper Preservation of Consistency Between Independent Representations of Shared State vulnerability in the Packet Forwarding Engine PFE of Juniper Networks Junos OS allows a locally authenticated attacker with low privileges to cause a Denial of Service DoS. If the device is very busy for...