Export limit exceeded: 363403 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2564 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-1127 | 1 Lexmark | 1 Lexmark | 2026-04-15 | 9.1 Critical |
| The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user and/or modify the contents of any data on the filesystem. | ||||
| CVE-2023-49603 | 2026-04-15 | 7.5 High | ||
| Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-12472 | 1 Google | 1 Cloud Looker | 2026-04-15 | N/A |
| An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.103+ * 24.18.195+ * 25.0.72+ * 25.6.60+ * 25.8.42+ * 25.10.22+ | ||||
| CVE-2025-0372 | 2026-04-15 | N/A | ||
| Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordless: before 10.1. | ||||
| CVE-2025-52993 | 2 Gnu, Nixos | 2 Guix, Nix | 2026-04-15 | 5.6 Medium |
| A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | ||||
| CVE-2024-47968 | 2026-04-15 | 4.4 Medium | ||
| Improper resource shutdown in middle of certain operations on some Solidigm DC Products may allow an attacker to potentially enable denial of service. | ||||
| CVE-2024-32985 | 2026-04-15 | 5.9 Medium | ||
| Stellar-core is a reference implementation for the peer-to-peer agent that manages the Stellar network. Prior to 20.4.0, core nodes could be randomly crashed due to a race condition with a 3rd party library. The likelihood of affecting the network is low since crashed nodes come back up online right away. Code fix mitigation is part of Stellar-core v20.4.0 release | ||||
| CVE-2024-51505 | 2026-04-15 | 8 High | ||
| An issue was discovered in Atos Eviden IDRA before 2.7.1. A highly trusted role (Config Admin) could leverage a race condition to escalate privileges. | ||||
| CVE-2024-6162 | 1 Redhat | 11 Apache Camel Hawtio, Apache Camel Spring Boot, Build Keycloak and 8 more | 2026-04-15 | 7.5 High |
| A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up. | ||||
| CVE-2025-30235 | 1 Securenvoy | 1 Securaccess | 2026-04-15 | 3.5 Low |
| Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 is intended to disable accounts that have had more than 10 failed authentication attempts, but instead allows hundreds of failed authentication attempts, because concurrent attempts are mishandled. | ||||
| CVE-2024-36262 | 2026-04-15 | 7.2 High | ||
| Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-20104 | 2026-04-15 | 7.3 High | ||
| Race condition in some Administrative Tools for some Intel(R) Network Adapters package before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-54955 | 1 Opennebula | 1 Opennebula | 2026-04-15 | 8.1 High |
| OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials. | ||||
| CVE-2024-4418 | 1 Redhat | 3 Advanced Virtualization, Enterprise Linux, Rhel Eus | 2026-04-15 | 6.2 Medium |
| A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it. | ||||
| CVE-2025-59052 | 1 Angular | 1 Angular | 2026-04-15 | 7.1 High |
| Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false. | ||||
| CVE-2025-64168 | 1 Agno-agi | 1 Agno | 2026-04-15 | 7.1 High |
| Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when session_state is passed to Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2. | ||||
| CVE-2024-46971 | 2026-04-15 | 7.8 High | ||
| Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU. | ||||
| CVE-2024-2307 | 1 Redhat | 1 Enterprise Linux | 2026-04-15 | 6.1 Medium |
| A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. | ||||
| CVE-2024-47892 | 2026-04-15 | 7.8 High | ||
| Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU. | ||||
| CVE-2025-64118 | 1 Node-tar Project | 1 Node-tar | 2026-04-15 | N/A |
| node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2. | ||||