Total
2379 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-41458 | 2026-06-17 | N/A | N/A | ||
| OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication. | |||||
| CVE-2026-40943 | 2026-06-17 | N/A | N/A | ||
| Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2. | |||||
| CVE-2026-40178 | 1 Ajenti | 1 Ajenti Plugin Core | 2026-06-17 | N/A | 5.9 MEDIUM |
| ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This vulnerability is fixed in 0.112. | |||||
| CVE-2026-40155 | 1 Auth0 | 1 Nextjs-auth0 | 2026-06-17 | N/A | 5.4 MEDIUM |
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0. | |||||
| CVE-2026-39880 | 1 Remnawave | 1 Remnawave Backend | 2026-06-17 | N/A | 5.0 MEDIUM |
| Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5. | |||||
| CVE-2026-35554 | 2026-06-17 | N/A | 8.7 HIGH | ||
| A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is prematurely deallocated and returned to the buffer pool. If a subsequent producer batch—potentially destined for a different topic—reuses this freed buffer before the original network request completes, the buffer contents may become corrupted. This can result in messages being delivered to unintended topics without any error being reported to the producer. Data Confidentiality: Messages intended for one topic may be delivered to a different topic, potentially exposing sensitive data to consumers who have access to the destination topic but not the intended source topic. Data Integrity: Consumers on the receiving topic may encounter unexpected or incompatible messages, leading to deserialization failures, processing errors, and corrupted downstream data. This issue affects Apache Kafka versions ≤ 3.9.1, ≤ 4.0.1, and ≤ 4.1.1. Kafka users are advised to upgrade to 3.9.2, 4.0.2, 4.1.2, 4.2.0, or later to address this vulnerability. | |||||
| CVE-2026-35099 | 2026-06-17 | N/A | 7.4 HIGH | ||
| Lakeside SysTrack Agent 11 before 11.5.0.15 has a race condition with resultant local privilege escalation to SYSTEM. The fixed versions are 11.2.1.28, 11.3.0.38, 11.4.0.24, and 11.5.0.15. | |||||
| CVE-2026-34862 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 6.3 MEDIUM |
| Race condition vulnerability in the power consumption statistics module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34861 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 6.3 MEDIUM |
| Race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34858 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 4.1 MEDIUM |
| UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34857 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 4.7 MEDIUM |
| UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34856 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 7.3 HIGH |
| UAF vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34851 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 2.2 LOW |
| Race condition vulnerability in the event notification module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34850 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 1.9 LOW |
| Race condition vulnerability in the notification service. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34849 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 2.5 LOW |
| UAF vulnerability in the screen management module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2026-34368 | 1 Wwbn | 1 Avideo | 2026-06-17 | N/A | 5.3 MEDIUM |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `transferBalance()` method in `plugin/YPTWallet/YPTWallet.php` contains a Time-of-Check-Time-of-Use (TOCTOU) race condition. The method reads the sender's wallet balance, checks sufficiency in PHP, then writes the new balance — all without database transactions or row-level locking. An attacker with multiple authenticated sessions can send concurrent transfer requests that all read the same stale balance, each passing the balance check independently, resulting in only one deduction being applied while the recipient is credited multiple times. Commit 34132ad5159784bfc7ba0d7634bb5c79b769202d contains a fix. | |||||
| CVE-2026-34363 | 1 Parseplatform | 1 Parse-server | 2026-06-17 | N/A | 5.3 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9. | |||||
| CVE-2026-34351 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-06-17 | N/A | 7.8 HIGH |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-34345 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-06-17 | N/A | 7.0 HIGH |
| Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2026-34342 | 1 Microsoft | 14 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 11 more | 2026-06-17 | N/A | 7.0 HIGH |
| Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally. | |||||