CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/04/22 5:6 p.m.•1 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the heartbeat process. An attacker can cause the server to crash or become unresponsive by triggering concurrent session heartbeat and closure operations, leading to a panic or deadlock due to improper synchronization...

8.7CVSS5.5AI score0.00055EPSS

NVD•added 2026/04/21 10:16 p.m.•2 views

CVE-2026-40945

Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. This...

8.7CVSS0.00069EPSS

NVD•added 2026/04/21 10:16 p.m.•1 views

CVE-2026-40943

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat method uses a blocking channel send while holding a mutex, and under specific timin...

8.7CVSS0.00055EPSS

EUVD•added 2026/04/21 9:18 p.m.•3 views

EUVD-2026-24512

Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets SkipClientIDCheck: true in the go-oidc verifier configuration, disabling the standard audience aud claim validation at the library level. This allows tokens issued for unrelate...

9.2CVSS5.7AI score0.00068EPSS

CVE•added 2026/04/21 9:16 p.m.•5 views

CVE-2026-40945

Oxia (metadata store/coordination system) is affected prior to version 0.16.2. When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext, potentially exposing JWT tokens in application logs and any connected log aggregation systems if DEBUG logging is enabled in ...

EUVD•added 2026/04/21 9:16 p.m.•1 views

EUVD-2026-24511

ATTACKERKB•added 2026/04/21 9:16 p.m.•0 views

CVE-2026-40945

Exploits0References2Affected Software1

EUVD•added 2026/04/21 9:14 p.m.•1 views

EUVD-2026-24509

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates e.g., intermediate + root CA, only the first certificate is loaded...

6.9CVSS5.8AI score0.00033EPSS

Cvelist•added 2026/04/21 9:14 p.m.•24 views

CVE-2026-40944 Oxia: TLS CA certificate chain validation fails with multi-certificate PEM bundles

6.9CVSS0.00033EPSS

CVE•added 2026/04/21 9:14 p.m.•5 views

CVE-2026-40944

Summary: CVE-2026-40944 affects Oxia, a metadata store and coordination system. Before 0.16.2, the TLS trustedCertPool() configuration only loads the first PEM block from CA bundles; when multiple certificates (e.g., intermediate + root) are present, the chain is not fully validated for mTLS. Thi...

6.9CVSS5.8AI score0.00033EPSS

Vulnrichment•added 2026/04/21 9:13 p.m.•1 views

CVE-2026-40943 Oxia: Server crash via race condition in session heartbeat handling

8.7CVSS5.9AI score0.00055EPSS

CVE•added 2026/04/21 9:13 p.m.•9 views

CVE-2026-40943

CVE-2026-40943 affects Oxia prior to 0.16.2. A race between session heartbeat processing and session closure can cause the server to panic (send on closed channel) or deadlock due to the heartbeat() method holding a mutex while performing a blocking channel send, with a TOCTOU gap in KeepAlive. T...

8.7CVSS5.9AI score0.00055EPSS

Positive Technologies•added 2026/04/21 12:0 a.m.•2 views

PT-2026-34187

8.7CVSS5.9AI score0.00055EPSS

Exploits0References3

Snyk•added 2026/04/14 11:14 p.m.•1 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the validateTokenWithContext function. An attacker can obtain sensitive authentication tokens by accessing debug-level application logs or connected log aggregation systems, and...

Positive Technologies•added 2025/11/13 12:0 a.m.•3 views

PT-2025-46906

Name of the Vulnerable Software and Affected Versions OpenObserve versions prior to 0.16.2 Description OpenObserve is a cloud-native observability platform. When creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This occurs because...

3.5CVSS6.3AI score0.00025EPSS

Exploits0References4

NVD•added 2025/10/15 6:15 p.m.•4 views

CVE-2025-62382

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Prior to 0.16.2, Frigate's export workflow allows an authenticated operator to nominate any filesystem location as the thumbnail source for a video export. Because that path is copied verbatim into the...

7.7CVSS0.00044EPSS

CVE•added 2025/10/15 5:7 p.m.•8 views

CVE-2025-62382

CVE-2025-62382 affects Frigate (network video recorder for IP cameras). Before v0.16.2, the export workflow lets an authenticated operator nominate any filesystem path as the thumbnail source for a video export. The chosen path is copied verbatim into the publicly served clips directory, enabling...

7.7CVSS5.5AI score0.00044EPSS

CNNVD•added 2025/01/21 12:0 a.m.•2 views

Hashicorp Go-slug 后置链接漏洞

HashiCorp Hashicorp Go-slug is a Go-based codebase for packing and unpacking files from HashiCorp, USA. A security vulnerability exists in Hashicorp Go-slug version 0.16.2 and earlier, which stems from the fact that HashiCorp's go-slug library is susceptible to a zip-slip style attack when...

9.1CVSS6.8AI score0.00467EPSS