CVE-2026-56337

Capgo before 12.128.2 has an information disclosure in the public.exist_app_v2 RPC function that lets unauthenticated attackers enumerate app_ids via POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters. This SECURITY DEFINER function can reveal whether specific app_ids exist in the pub...

CVE-2026-56302 Capgo - Unsecured Supabase Images Bucket via Missing Row Level Security

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

EUVD-2026-38749

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

EUVD-2026-11696

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint...

CVE-2026-32269 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value ...