Lucene search
K

51 matches found

Github Security Blog
Github Security Blog
added 2026/06/12 6:29 p.m.14 views

gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Vulnerability: CWE-362 — Concurrent Map Access Race Condition in InMemorySecret2FA CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization Affected Component - github.com/pilinux/gorest — Go REST API boilerplate - InMemorySecret2FA — in-memory 2FA secret store...

6AI score0.00051EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/12 6:29 p.m.9 views

GHSA-CPWG-X64R-RGWG gorest InMemorySecret2FA race condition allows process crash via concurrent map access (CWE-362)

Vulnerability: CWE-362 — Concurrent Map Access Race Condition in InMemorySecret2FA CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization Affected Component - github.com/pilinux/gorest — Go REST API boilerplate - InMemorySecret2FA — in-memory 2FA secret store...

5.9CVSS6AI score0.00051EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.16 views

PT-2026-49058

Name of the Vulnerable Software and Affected Versions gorest affected versions not specified Description A race condition exists in the InMemorySecret2FA in-memory 2FA secret store due to the use of a bare Go map without proper synchronization. Multiple HTTP handlers concurrently read from, write...

5.9CVSS5.9AI score0.00051EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.13 views

CVE-2026-44318

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/subId handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock via BSFContext.GetSubscriptionsubId, but if t...

6.5CVSS5.6AI score0.00268EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/02 3:23 p.m.12 views

EUVD-2026-33950

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running...

5.1CVSS5.7AI score0.00161EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/02 3:23 p.m.10 views

CVE-2026-45682

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running...

5.1CVSS5.7AI score0.00161EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/05/29 4:56 p.m.10 views

GHSA-VP73-VJW8-8F32 Gotenberg has a Race Condition via Multipart `downloadFrom` Handling

Summary Gotenberg is vulnerable to a remote denial of service in multipart downloadFrom handling. A multipart request containing multiple downloadFrom entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with fatal error: concurrent...

7.5CVSS5.9AI score0.00138EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/29 4:56 p.m.14 views

Gotenberg has a Race Condition via Multipart `downloadFrom` Handling

Summary Gotenberg is vulnerable to a remote denial of service in multipart downloadFrom handling. A multipart request containing multiple downloadFrom entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with fatal error: concurrent...

5.9AI score0.00138EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.11 views

PT-2026-45015

Name of the Vulnerable Software and Affected Versions Gotenberg versions 8.10.0 through 8.x Description Gotenberg is susceptible to a remote denial of service due to a race condition when handling multipart requests. When a request contains multiple downloadFrom entries, the system initiates...

7.5CVSS6AI score0.00138EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/27 3:35 p.m.8 views

CVE-2026-44318

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/subId handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock via BSFContext.GetSubscriptionsubId, but if t...

6.5CVSS5.9AI score0.00268EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/05/20 7:7 p.m.10 views

GO-2026-4994 free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions in github.com/free5gc/bsf

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/subId crashes the BSF process via concurrent map read/write on Subscriptions in github.com/free5gc/bsf...

6.5CVSS5.8AI score0.00268EPSS
Exploits1References4
OSV
OSV
added 2026/05/19 3:53 p.m.5 views

GHSA-W4VJ-R5PG-3722 Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

5.9CVSS5.9AI score0.00091EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/19 3:53 p.m.11 views

Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

5.9AI score0.00091EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.9 views

PT-2026-41967

Name of the Vulnerable Software and Affected Versions Mailpit affected versions not specified Description A remote, unauthenticated attacker can cause a denial of service DoS by crashing the Mailpit process. The issue occurs because the screenshot/print proxy reads a package-level assets cache...

5.9CVSS5.9AI score0.00091EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/08 10:41 p.m.11 views

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

Summary free5GC's BSF PUT /nbsf-management/v1/subscriptions/subId handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock via BSFContext.GetSubscriptionsubId, but if the subscription does not exist, ReplaceIndividualSubcription writes back ...

6.5CVSS5.9AI score0.00268EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/05/08 10:41 p.m.5 views

GHSA-27PH-8Q4F-H7M7 free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

Summary free5GC's BSF PUT /nbsf-management/v1/subscriptions/subId handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock via BSFContext.GetSubscriptionsubId, but if the subscription does not exist, ReplaceIndividualSubcription writes back ...

6.5CVSS5.9AI score0.00268EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/27 5:9 p.m.4 views

CVE-2026-26072

EVerest is an EV charging software stack. Versions prior to 2026.02.0 have a data race leading to std::map concurrent access container/optional corruption possible. The trigger is EV SoC update with powermeter periodic update and unplugging/SessionFinished status. Version 2026.02.0 patches the...

4.2CVSS5.9AI score0.00137EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/03/25 12:26 a.m.4 views

SUSE CVE-2026-28789

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin's OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map,...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References3
OSV
OSV
added 2026/03/10 6:28 p.m.4 views

GO-2026-4586 OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling in github.com/OliveTin/OliveTin

OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling in github.com/OliveTin/OliveTin. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References3
NVD
NVD
added 2026/03/05 8:16 p.m.7 views

CVE-2026-28789

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map,...

7.5CVSS0.00394EPSS
Exploits1References2
Rows per page
Query Builder