Lucene search
K
GithubRecent

33187 matches found

Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.12 views

Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data

Summary EnvironmentManager.restoreenv, backupId computes the backup path with joinenvDir, '.backups', backupId and only checks that this path exists. It does not resolve the result or verify that it remains under data//.backups. A caller can pass a traversal backup ID such as...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.10 views

Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups

Summary EnvironmentManager.backup recursively collects files using collectBackupFiles. collectBackupFiles uses statSyncfull, which follows symlinks. If data/ contains a symlink to a directory outside the environment root, backup recursion follows the symlink and copies external files into...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.13 views

Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions

Summary network-ai's ApprovalInbox lib/approval-inbox.ts is a shipped, exported, documented feature — "a web-accessible approval queue with REST API … and SSE streaming" SECURITY.md. It is the network surface of the human-in-the-loop Approval Gate, which ApprovalGate uses to require explicit huma...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.12 views

Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory

Summary AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandboxevil/secret.txt. An agent/user that can call...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.9 views

Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning

Summary EnvironmentManager.listBackups reads each backup's manifest.json and trusts the manifest's path field. EnvironmentManager.pruneBackups later passes that trusted entry.path directly to rmSyncentry.path, recursive: true, force: true . An attacker who can place or modify a manifest inside...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.8 views

MCPVault: PathFilter restricted directories (.git/.obsidian/node_modules) only denied at vault root, not nested

PathFilter's deny-list glob patterns are anchored, so .git, .obsidian, and nodemodules were only blocked at the vault root. Nested copies inside the vault e.g. tools/cli/nodemodules/..., tools/somerepo/.git/config, a nested .obsidian/ were fully traversable via isAllowed/isAllowedForListing...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.8 views

Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe

Impact A stored cross-site scripting XSS vulnerability affected the Markdown/RichText field preview renderer in Sveltia CMS. The DOMPurify sanitization configuration used for Markdown previews explicitly permitted iframe elements without enforcing a sandbox attribute or restricting iframe sources...

5.6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.8 views

symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest

Description The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative, which returns true for paths like ../../../etc. Path::join then resolves the .. segments without complaint, so the...

7.8CVSS6.1AI score0.00146EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.9 views

symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

6.1CVSS6AI score0.00194EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.9 views

SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Impact Under concurrency, CheckPermission and CheckBulkPermissions can return PERMISSIONSHIPHASPERMISSION for a resource, permission, subject whose correct answer is PERMISSIONSHIPCONDITIONALPERMISSION. You are impacted if all of the following hold: 1. Your schema has a permission combining...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.9 views

OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types

On OpenBao 2.5.4 and 2.5.2and likely earlier versions also, an authenticated caller with write access to transit/keys/ can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type rsa-, ecdsa-, ed25519 with derived: true. The server returns no HTTP respon...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.7 views

OpenBao's System Backend allows Unauthorized Management of the containing Namespace

Summary A user that is granted namespace management /sys/namespaces capabilities within a non-root namespace "the victim namespace" can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself. Details Several endpoints under...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.10 views

OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808

Summary OpenBao users with access to the sys/leases/revoke/:leaseid endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. Impact OpenBao's namespaces provide multi-tena...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.11 views

OpenBao: LDAPi ldaputil (wrong escape func)

Description Component sdk/helper/ldaputil/client.go — the shared LDAP utility library used by both the LDAP authentication backend and OpenLDAP secrets engine to construct LDAP search filters and bind DNs. Root Cause The LDAP utility contains a function selection error that causes incorrect...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:41 p.m.9 views

StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled

Summary With $wgEmbedVideoRequireConsent enabled the default, the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection. Details T...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:18 p.m.12 views

Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure

Summary A Stored Cross-Site Scripting XSS issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML Steps to Reproduce 1. Create a new dashboard. 2. Add a Text widget. 3. Insert the following payload: html...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:18 p.m.10 views

Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Summary All components based on BaseFileComponent are vulnerable to the following vulnerability: 1. Docling DoclingInlineComponent 2. Docling Serve DoclingRemoteComponent 3. Read File FileComponent 4. NVIDIA Retriever Extraction NvidiaIngestComponent 5. Video File VideoFileComponent 6. Unstructur...

9.6CVSS6.3AI score0.00411EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:17 p.m.9 views

Langflow: Unauthenticated DoS through multipart form boundary file upload

Summary An attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. Details...

7.5CVSS5.9AI score0.00321EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:17 p.m.9 views

Langflow: Logout button does not clear session

Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. Details Not in auto login mode. Hosted on localhost. accesstokenlf remains present in both Local Storage and Cookies. refreshtokenlf remains present in Cookies. Root...

6.1CVSS5.9AI score0.00152EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.10 views

Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

Summary Insecure Direct Object Reference IDOR vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. Details The vulnerability exists in the getflowbyidorendpointname helper...

8.4CVSS6AI score0.00467EPSS
Exploits2References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.7 views

py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()

Summary PackInfo.read uses an On^2 cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.init — no extraction is needed. A 50 KB archive takes 7 seconds of CPU time...

8.7CVSS5.8AI score0.00321EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.9 views

py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

py7zr's Worker.decompress extracts archive entries without tracking total decompressed size. A crafted .7z file can exhaust disk or memory before the extraction completes. Measured: 15.6 KB archive → 100 MB output 6,556:1 ratio. Proof of concept: python import py7zr, tempfile, os create bomb:...

8.7CVSS5.9AI score0.00321EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.10 views

Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms

Summary The remediation shipped in mailpit v1.29.2 for GHSA-mpf7-p9x7-96r3 CVE-2026-27808 is incomplete. The tools.IsInternalIP deny-list relies on Go's stdlib classification helpers IsLoopback, IsPrivate, IsLinkLocalUnicast, IsLinkLocalMulticast, IsUnspecified, IsMulticast plus an inline CGNAT...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.12 views

Open Redirect Bypass in miniflux-v2

Summary The URL restrictions in miniflux-v2 can be bypassed by attackers, leading to an open redirect vulnerability. Details Normally, the redirect URL needs to be validated using IsRelativePath. There are some security measures in place, such as requiring relative paths, prohibiting host and...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.7 views

http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments

Impact ServerFilters.DigestAuth and the underlying DigestAuthProvider both defaulted their nonceVerifier parameter to true — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had no replay protection on Digest authentication; a...

5.8AI score
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.6 views

http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default

Impact The previous BasicCookieStorage did not enforce RFC 6265 scoping rules around cookie domain, path, and Secure attribute. A client using a single storage instance to talk to multiple origins could have cookies leak across domains, or have Secure cookies sent over plain HTTP — the deprecatio...

5.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:16 p.m.7 views

http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`

Impact The HmacSha256 class contained two functions: - hashpayload — a plain unkeyed SHA-256 digest. The Hmac prefix in the class name was misleading; this function has no key parameter, so it could never have been an HMAC. - hmacSHA256key, data — a properly keyed HMAC-SHA256. A reader who didn't...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.10 views

http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact`

Impact reverseProxy and reverseProxyRouting matched configured vhosts by substring on the Host header Contains matcher by default. The intended use of these functions in http4k is outbound dispatch e.g. matching AWS service subdomains, per the Contains docstring and test-time composition of fake...

5.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.7 views

Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails

Summary There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported nginx.ingress.kubernetes.io/auth-type and auth-secret annotations, but the...

8.6CVSS5.9AI score0.0036EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.7 views

Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering

Summary The ansi.js Handlebars helper in allure-generator passes user-controlled statusMessage and statusTrace values from test result files through the ansi-to-html library and wraps the output in Handlebars SafeString without HTML escaping. Since ansi-to-html does not escape HTML entities by...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.6 views

Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read

Summary The built-in HTTP server started by allure serve and allure open is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report directory. An attacker who can rea...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.10 views

VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files

Summary vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader yaml.CLoader / yaml.Loader instead of the safe loader yaml.CSafeLoader / yaml.SafeLoader. A cassette containing a !!python/object/apply: or similar tag therefore executes arbitrary Python code the moment the...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.6 views

dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens

Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens Summary The local OAuth helper FastAPI server bundled with dbt-mcp exposes the GET /dbtplatformcontext endpoint without any form of authentication or host-origin validation. After a user completes the OAuth login flow against dbt...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.8 views

Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser

XML Entity Expansion Billion Laughs DoS in XMLSitemapParser Summary ultimate-sitemap-parser version 1.8.0 and earlier parse attacker-controlled XML content using Python's xml.parsers.expat without any restriction on DTD declarations or recursive entity references. An attacker who can serve a...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.12 views

Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit

Gzip Decompression Bomb Bypasses Sitemap Size Limit Summary ultimate-sitemap-parser enforces a 100 MiB size limit on sitemap responses, but applies it only to the compressed bytes received over the network. When a .gz sitemap is fetched, usp/helpers.py:239 calls gziplib.decompressdata with no...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.6 views

go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)

Impact The go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library's path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process. Consequently, a crafted tar archive...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.5 views

TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover

TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific target origins. A page the...

7.6CVSS5.8AI score0.00196EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.9 views

Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass

Summary The CartController defines a RateLimiter behavior that is only activated when the 'number' POST/GET parameter is explicitly provided. Details When an attacker submits coupon codes against the session-based cart without passing a 'number' parameter, no rate limiting is applied. This allows...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.8 views

Craft Commerce: Partial Payment Amount Without Lower Bound Validation

Summary The Order::setPaymentAmount method accepts any float value without enforcing a minimum positive amount. The PaymentsController casts the user-supplied 'paymentAmount' parameter directly to float with no lower-bound check. Details When the store has 'Allow Partial Payment on Checkout'...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.7 views

Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs

Overview Craft CMS is vulnerable to Server-Side Request Forgery SSRF and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the...

6.9CVSS6.1AI score0.0033EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.6 views

@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels

Description Summary @tinacms/cli contains a Remote Code Execution vulnerability in its Forestry-to-Tina migration command. The internal helper addVariablesToCode unquotes any value matching the marker "TINAINTERNAL:::.?:::" inside the stringified collection JSON. User-supplied label and name fiel...

7.8CVSS6.2AI score0.0017EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:15 p.m.8 views

StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized class passed to template

Summary The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output. Details The template here adds a figure with a class that is substituted in. This value is provided...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 9:14 p.m.7 views

StarCitizenWiki Extension Embed Video: Stored XSS via unsanitized service name in exception text

Summary When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML. Details There is a hardcoded list of allowed services in a switch statement inside EmbedServiceFactorynewFromName...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 8:51 p.m.8 views

Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName

We have released version 5.24.0 of the Grafana Operator. This patch includes a MODERATE severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...

8.8CVSS5.9AI score0.00361EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.9 views

Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag

Summary Crossplane allows package signature verification to be configured via the ImageConfig mechanism. When enabled, the package manager uses cosign to verify that packages are correctly signed before pulling and installing them. When a package is installed using a tag reference e.g., a semanti...

5.7AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.5 views

flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key

Summary convert builds the nested tree by using each flat record's id and parent field values directly as object keys, with no guard against proto / constructor / prototype. A record whose parent is the string "proto" makes tempparent resolve to Object.prototype, and the following initPush...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.8 views

@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument

Summary A command injection vulnerability exists in @cyclonedx/cyclonedx-npm when the CLI is invoked with the --workspace option while the environment variable npmexecpath is unset or empty. User‑supplied --workspace values are passed to a subshell without proper sanitization, enabling attackers ...

8.5CVSS6.3AI score0.0016EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.8 views

Blocky DNSSEC validation bypass and validation-cache scope pollution

Summary Blocky accepts and caches forged DNS answers while dnssec.validate: true is enabled. The issue has two related exploit paths: 1. Basic DNSSEC validation bypass. If an untrusted upstream returns an unsigned positive answer for a DNSSEC-signed public domain, Blocky classifies the response a...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.7 views

UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

Summary ujson.dumps or ujson.dump or ujson.encode have a rejectbytes=False option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass and data integrity...

6.5CVSS5.7AI score0.00272EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/19 8:47 p.m.9 views

Concurrent Ruby: ReadWriteLock allows wrong-thread write release and stray read-release counter corruption

Summary Concurrent::ReadWriteLockreleasewritelock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still...

9.8CVSS6AI score0.0016EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities33187