Search Results (2574 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-32887 2 Effect Project, Effectful 2 Effect, Effect 2026-04-15 7.4 High
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
CVE-2026-34849 1 Huawei 1 Harmonyos 2026-04-15 2.5 Low
UAF vulnerability in the screen management module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2025-30235 1 Securenvoy 1 Securaccess 2026-04-15 3.5 Low
Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 is intended to disable accounts that have had more than 10 failed authentication attempts, but instead allows hundreds of failed authentication attempts, because concurrent attempts are mishandled.
CVE-2024-47534 1 Theupdateframework 1 Go-tuf 2026-04-15 5.3 Medium
go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1.
CVE-2025-64168 1 Agno-agi 1 Agno 2026-04-15 7.1 High
Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when session_state is passed to Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2.
CVE-2025-1127 1 Lexmark 1 Lexmark 2026-04-15 9.1 Critical
The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user and/or modify the contents of any data on the filesystem.
CVE-2025-31944 1 Intel 1 Tdx Module 2026-04-15 5.3 Medium
Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow a denial of service. Authorized adversary with a privileged user combined with a high complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (low) impacts.
CVE-2024-0397 2 Python Software Foundation, Redhat 2 Cpython, Enterprise Linux 2026-04-15 7.4 High
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.
CVE-2024-7598 1 Kubernetes 1 Kubernetes 2026-04-15 3.1 Low
A security issue was discovered in Kubernetes where a malicious or compromised pod could bypass network restrictions enforced by network policies during namespace deletion. The order in which objects are deleted during namespace termination is not defined, and it is possible for network policies to be deleted before the pods that they protect. This can lead to a brief period in which the pods are running, but network policies that should apply to connections to and from the pods are not enforced.
CVE-2025-64118 1 Node-tar Project 1 Node-tar 2026-04-15 N/A
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
CVE-2025-10778 1 Smartstore 1 Smartstore 2026-04-15 3.1 Low
A vulnerability has been found in Smartstore up to 6.2.0. The affected element is an unknown function of the file /checkout/confirm/ of the component Gift Voucher Handler. The manipulation leads to race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-46336 2026-04-15 4.2 Medium
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
CVE-2024-29863 2026-04-15 7.8 High
A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.
CVE-2024-2307 1 Redhat 1 Enterprise Linux 2026-04-15 6.1 Medium
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.
CVE-2024-33904 1 Hyprland 1 Hyprland 2026-04-15 7 High
In plugins/HookSystem.cpp in Hyprland through 0.39.1 (before 28c8561), through a race condition, a local attacker can cause execution of arbitrary assembly code by writing to a predictable temporary file.
CVE-2024-43701 1 Imaginationtech 1 Graphics Ddk 2026-04-15 7.8 High
Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.
CVE-2024-2193 2 Amd, Xen 2 Cpu, Xen 2026-04-15 5.7 Medium
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.
CVE-2023-48366 2026-04-15 5.3 Medium
Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable information disclosure via local access.
CVE-2024-36262 2026-04-15 7.2 High
Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-12472 1 Google 1 Cloud Looker 2026-04-15 N/A
An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.103+ * 24.18.195+ * 25.0.72+ * 25.6.60+ * 25.8.42+ * 25.10.22+