Export limit exceeded: 363403 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (2564 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-1127 1 Lexmark 1 Lexmark 2026-04-15 9.1 Critical
The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user and/or modify the contents of any data on the filesystem.
CVE-2023-49603 2026-04-15 7.5 High
Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-12472 1 Google 1 Cloud Looker 2026-04-15 N/A
An attacker with a Looker Developer role could manipulate a LookML project to exploit a race condition during Git directory deletion, leading to arbitrary command execution on the Looker instance. Looker-hosted and Self-hosted were found to be vulnerable. This issue has already been mitigated for Looker-hosted instances. No user action is required for these. Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.103+ * 24.18.195+ * 25.0.72+ * 25.6.60+ * 25.8.42+ * 25.10.22+
CVE-2025-0372 2026-04-15 N/A
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordless: before 10.1.
CVE-2025-52993 2 Gnu, Nixos 2 Guix, Nix 2026-04-15 5.6 Medium
A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
CVE-2024-47968 2026-04-15 4.4 Medium
Improper resource shutdown in middle of certain operations on some Solidigm DC Products may allow an attacker to potentially enable denial of service.
CVE-2024-32985 2026-04-15 5.9 Medium
Stellar-core is a reference implementation for the peer-to-peer agent that manages the Stellar network. Prior to 20.4.0, core nodes could be randomly crashed due to a race condition with a 3rd party library. The likelihood of affecting the network is low since crashed nodes come back up online right away. Code fix mitigation is part of Stellar-core v20.4.0 release
CVE-2024-51505 2026-04-15 8 High
An issue was discovered in Atos Eviden IDRA before 2.7.1. A highly trusted role (Config Admin) could leverage a race condition to escalate privileges.
CVE-2024-6162 1 Redhat 11 Apache Camel Hawtio, Apache Camel Spring Boot, Build Keycloak and 8 more 2026-04-15 7.5 High
A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
CVE-2025-30235 1 Securenvoy 1 Securaccess 2026-04-15 3.5 Low
Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 is intended to disable accounts that have had more than 10 failed authentication attempts, but instead allows hundreds of failed authentication attempts, because concurrent attempts are mishandled.
CVE-2024-36262 2026-04-15 7.2 High
Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2025-20104 2026-04-15 7.3 High
Race condition in some Administrative Tools for some Intel(R) Network Adapters package before version 29.4 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2025-54955 1 Opennebula 1 Opennebula 2026-04-15 8.1 High
OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials.
CVE-2024-4418 1 Redhat 3 Advanced Virtualization, Enterprise Linux, Rhel Eus 2026-04-15 6.2 Medium
A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback while the data pointer's stack frame was concurrently being "freed" when returning from virNetClientIOEventLoop(). The 'virtproxyd' daemon can be used to trigger requests. If libvirt is configured with fine-grained access control, this issue, in theory, allows a user to escape their otherwise limited access. This flaw allows a local, unprivileged user to access virtproxyd without authenticating. Remote users would need to authenticate before they could access it.
CVE-2025-59052 1 Angular 1 Angular 2026-04-15 7.1 High
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false.
CVE-2025-64168 1 Agno-agi 1 Agno 2026-04-15 7.1 High
Agno is a multi-agent framework, runtime and control plane. From 2.0.0 to before 2.2.2, under high concurrency, when session_state is passed to Agent or Team during run or arun calls, a race condition can occur, causing a session_state to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to another user. This has been patched in version 2.2.2.
CVE-2024-46971 2026-04-15 7.8 High
Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.
CVE-2024-2307 1 Redhat 1 Enterprise Linux 2026-04-15 6.1 Medium
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.
CVE-2024-47892 2026-04-15 7.8 High
Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.
CVE-2025-64118 1 Node-tar Project 1 Node-tar 2026-04-15 N/A
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.