Lucene search
K

285 matches found

RedHat Linux
RedHat Linux
added 2026/04/13 2:27 a.m.7 views

undici: Undici: Denial of Service due to uncontrolled resource consumption

A flaw was found in Undici. When the interceptors.deduplicate feature is enabled, response data for deduplicated requests can accumulate in memory. A remote attacker, by sending large or chunked responses and concurrent identical requests from an untrusted endpoint, can exploit this uncontrolled...

5.9CVSS7AI score0.00566EPSS
Exploits0References7
Snyk
Snyk
added 2026/04/10 9:0 p.m.5 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition due to unsynchronized concurrent access to the userTokens map in the local authentication process. An attacker can cause the server to crash or reuse authentication tokens by sending multiple simultaneous requests to the...

6.4CVSS5.8AI score0.00243EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/09 7:23 p.m.6 views

CVE-2026-33459

Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References1
NVD
NVD
added 2026/04/08 6:26 p.m.10 views

CVE-2026-33459

Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent...

6.5CVSS0.0024EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/08 4:46 p.m.5 views

CVE-2026-33459 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.9 views

PT-2026-30704

Name of the Vulnerable Software and Affected Versions Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000 Description A flaw exists in the Wi-Fi driver of the specified Samsung processors due to improper synchronization on a...

7CVSS5.8AI score0.00086EPSS
Exploits0References6
CVE
CVE
added 2026/04/02 3:0 p.m.11 views

CVE-2026-33544

CVE-2026-33544 affects tinyauth: before v5.0.5, GenericOAuthService, GithubOAuthService, and GoogleOAuthService store PKCE verifiers and access tokens on shared singleton instances. A race between VerifyCode() and Userinfo() during concurrent OAuth logins can cause one user’s session to be popula...

7.7CVSS5.8AI score0.00338EPSS
Exploits1References3Affected Software1
RedHat Linux
RedHat Linux
added 2026/04/02 1:54 p.m.15 views

org.keycloak.protocol.oidc: Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.8AI score0.00282EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/01 9:3 p.m.3 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the updateUser function, specifically when handling concurrent requests. that exploit. An attacker can gain higher-level privileges by sending multiple simultaneous requests that manipulate user roles during a timing g...

5.9CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/01 7:52 p.m.10 views

Tinyauth has OAuth account confusion via shared mutable state on singleton service instances

Summary All three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent requests. When two users initiate OAuth login for the same provider...

7.7CVSS6AI score0.00338EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/30 5:51 p.m.8 views

AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

Summary The transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attack...

5.3CVSS6AI score0.00228EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/29 3:23 p.m.6 views

Parse Server has an MFA single-use token bypass via concurrent authData login requests

Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...

4.4CVSS5.9AI score0.00311EPSS
Exploits0References7Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/27 6:12 p.m.2 views

CVE-2026-34368 AVideo Vulnerable to Wallet Balance Double-Spend via TOCTOU Race Condition in transferBalance

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

5.3CVSS5.9AI score0.00228EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/27 6:12 p.m.3 views

CVE-2026-34368

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the transferBalance method in plugin/YPTWallet/YPTWallet.php contains a Time-of-Check-Time-of-Use TOCTOU race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new...

5.3CVSS5.9AI score0.00228EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/27 7:14 a.m.3 views

BIT-PARSE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent logi...

2.7CVSS5.8AI score0.00175EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.4 views

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

8.2CVSS5.9AI score0.00179EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/24 6:28 p.m.26 views

CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS0.00175EPSS
Exploits0References5
OSV
OSV
added 2026/03/24 6:28 p.m.4 views

CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS5.8AI score0.00175EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/24 6:28 p.m.3 views

CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS5.8AI score0.00175EPSS
Exploits0References5
CVE
CVE
added 2026/03/24 6:28 p.m.15 views

CVE-2026-33624

CVE-2026-33624 affects Parse Server. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who knows a user’s password and a valid MFA recovery code can reuse that code indefinitely by sending concurrent login requests, defeating the single‑use design of recovery codes. Impacted component: MFA...

2.7CVSS5.8AI score0.00175EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder