Lucene search
K

79 matches found

CVE
CVE
added 4 days ago15 views

CVE-2026-56296

Cap-go before 12.128.2 has an information disclosure flaw in the public.transfer_app RPC that returns distinct error messages for existing versus non-existing app IDs. This enables unauthenticated attackers to enumerate valid app IDs by observing error message differences when calling transfer_ap...

6.9CVSS6.1AI score0.00239EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-3367 Lockme OAuth2 calendars integration <= 2.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'App ID' Setting

The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The registersetting call on line 197 lacks a sanitiz...

4.4CVSS0.00256EPSS
Exploits0References14
CVE
CVE
added 4 days ago10 views

CVE-2026-3367

The CVE-2026-3367 entry concerns the WordPress plugin Lockme Cal­endars Integration (

4.4CVSS6.2AI score0.00256EPSS
Exploits0References14
Cvelist
Cvelist
added 2026/06/21 1:26 p.m.32 views

CVE-2026-56229 Capgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logs

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS0.00221EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56229

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS5.9AI score0.00221EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:26 p.m.22 views

CVE-2026-56229

Capgo before 12.128.2 has an authorization bypass in /build/status and /build/logs that lets an attacker access build jobs from other apps by mixing app_id and job_id. Limited API keys scoped to one app can read status/logs across apps by using an authorized app_id with a job_id from another app,...

7.1CVSS5.9AI score0.00221EPSS
Exploits0References2
OSV
OSV
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56229 Capgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logs

Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...

7.1CVSS6AI score0.00221EPSS
Exploits0References4
NVD
NVD
added 2026/06/20 4:17 p.m.12 views

CVE-2026-56325

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for appid lookup in the preview subdomain resolver, allowing underscore characters in appid to act as SQL wildcards. Attackers can create apps with appids differing by one character at underscore positions to cause...

3.1CVSS0.00215EPSS
Exploits0References2
OSV
OSV
added 2026/06/20 3:24 p.m.2 views

CVE-2026-56319 Capgo - App Existence Oracle via GET /statistics/app/:app_id

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References4
OSV
OSV
added 2026/06/20 3:24 p.m.4 views

CVE-2026-56235 Capgo - Unauthenticated Cross-Tenant Metrics Disclosure via RPC Functions

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...

6.9CVSS5.9AI score0.00274EPSS
Exploits0References4
CVE
CVE
added 2026/06/20 3:21 p.m.21 views

CVE-2026-56325

Capgo CVE-2026-56325 affects Capgo versions prior to 12.128.2. The preview subdomain resolver uses ILIKE (case-insensitive) matching for app_id lookups instead of exact matching, allowing underscore characters to act as wildcards. This can cause unintended pattern matches, potentially breaking pr...

3.1CVSS5.9AI score0.00215EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 3:21 p.m.7 views

EUVD-2026-38113

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for appid lookup in the preview subdomain resolver, allowing underscore characters in appid to act as SQL wildcards. Attackers can create apps with appids differing by one character at underscore positions to cause...

3.1CVSS5.9AI score0.00215EPSS
Exploits0References2
OSV
OSV
added 2026/06/20 3:21 p.m.3 views

CVE-2026-56325 Capgo - App ID Confusion via ILIKE Wildcard in Preview Subdomain Lookup

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for appid lookup in the preview subdomain resolver, allowing underscore characters in appid to act as SQL wildcards. Attackers can create apps with appids differing by one character at underscore positions to cause...

2.3CVSS6AI score0.00215EPSS
Exploits0References4
CVE
CVE
added 2026/06/20 12:14 a.m.22 views

CVE-2026-56213

Capgo exploitable before version 12.128.2 via an authorization bypass in the public.upsert_version_meta SECURITY DEFINER function exposed through PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. This leads to poisoned storage metrics, pe...

6.9CVSS6AI score0.00235EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/20 12:0 a.m.33 views

PT-2026-51144

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description The preview subdomain resolver uses ILIKE pattern matching instead of exact matching for app id lookup. This allows underscore characters within the app id to function as SQL wildcards. An attacker...

3.1CVSS5.9AI score0.00215EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:34 p.m.12 views

CVE-2026-9048

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social...

4.3CVSS5.5AI score0.00163EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/02 12:31 a.m.17 views

EUVD-2026-33851

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social...

4.3CVSS5.8AI score0.00163EPSS
Exploits0References3
NVD
NVD
added 2026/06/02 12:16 a.m.21 views

CVE-2026-9048

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social...

4.3CVSS0.00163EPSS
Exploits0References2
CVE
CVE
added 2026/06/01 11:28 p.m.34 views

CVE-2026-9048

The Slider Revolution WordPress plugin is affected (versions 7.0.0–7.0.14). The vulnerability arises in the slider.get.full AJAX action, enabling authenticated attackers with Contributor-level access and higher to expose sensitive data stored in slider settings. Exposed data includes raw social m...

4.3CVSS5.8AI score0.00163EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/01 11:28 p.m.12 views

CVE-2026-9048 Slider Revolution 7.0.0 - 7.0.14 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social...

4.3CVSS5.8AI score0.00163EPSS
Exploits0References2
Rows per page
Query Builder