Lucene search
+L

42 matches found

cvelist
cvelist
added 2026/06/20 3:24 p.m.34 views

CVE-2026-56307 Cap-go - Broken Cursor Pagination in /private/devices Endpoint

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

5.3CVSS0.00238EPSS
Exploits0References2
osv
osv
added 2026/06/20 3:24 p.m.3 views

CVE-2026-56307 Cap-go - Broken Cursor Pagination in /private/devices Endpoint

Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...

5.3CVSS6AI score0.00238EPSS
Exploits0References4
cve
cve
added 2026/06/20 3:24 p.m.22 views

CVE-2026-56307

Cap-go before 12.128.12 has a broken cursor pagination vulnerability in the /private/devices endpoint of the Cloudflare/workerd path. Authenticated attackers with app.read_devices can exploit non-advancing cursor filters to trigger infinite pagination loops, causing duplicate pages and making lat...

5.3CVSS5.9AI score0.00238EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/20 3:24 p.m.6 views

CVE-2026-56235

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...

6.9CVSS5.9AI score0.00274EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/20 12:0 a.m.19 views

PT-2026-51149

Name of the Vulnerable Software and Affected Versions capgo versions prior to 12.128.2 Description An authorization bypass exists in several Supabase PostgREST RPC functions: get app metrics, get global metrics, and get total metrics. These functions are granted to the anon role without enforcing...

6.9CVSS5.8AI score0.00274EPSS
Exploits0References9
nvd
nvd
added 2026/06/19 10:16 p.m.14 views

CVE-2026-56073

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...

9.4CVSS0.00188EPSS
Exploits0References2
cve
cve
added 2026/06/19 9:39 p.m.24 views

CVE-2026-56082

Capgo (Cap-go/capgo) prior to 12.128.2 has an improper access control in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is accessible to anon and can be called with the public Supabase publishable anon key. An unauthenticated attacker can insert into public.build_logs...

8.7CVSS6AI score0.00242EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/19 9:39 p.m.24 views

CVE-2026-56080 Cap-go - Authentication Logic Flaw in Enforce Password Policy

Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as...

6.9CVSS0.00299EPSS
Exploits0References2
osv
osv
added 2026/06/19 9:39 p.m.3 views

CVE-2026-56081 Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account...

9.3CVSS6AI score0.00351EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/06/19 9:39 p.m.4 views

CVE-2026-56073

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...

9.4CVSS5.9AI score0.00188EPSS
Exploits0References3
osv
osv
added 2026/06/19 9:39 p.m.3 views

CVE-2026-56073 Cap-go - OTP Bypass via Response Manipulation in Email Verification

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...

9.3CVSS6AI score0.00188EPSS
Exploits0References4
cve
cve
added 2026/06/19 9:39 p.m.41 views

CVE-2026-56073

CVE-2026-56073 affects Cap-go before 12.128.2. An authentication bypass in OTP verification lets an attacker bypass email verification by manipulating server responses, intercepting OTP requests and falsely marking verification as successful. This enables unauthorized 2FA enablement and potential...

9.4CVSS5.9AI score0.00188EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/19 9:39 p.m.30 views

CVE-2026-56073 Cap-go - OTP Bypass via Response Manipulation in Email Verification

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful,...

9.4CVSS0.00188EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/19 12:0 a.m.21 views

PT-2026-51036

Name of the Vulnerable Software and Affected Versions Cap-go versions prior to 12.128.2 Description An authentication bypass exists in the OTP One-Time Password verification process. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely indicate that...

9.4CVSS5.9AI score0.00188EPSS
Exploits0References9
nvd
nvd
added 2026/06/12 5:16 p.m.11 views

CVE-2026-53981

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

7.6CVSS0.00267EPSS
Exploits0References3
osv
osv
added 2026/06/12 4:25 p.m.3 views

CVE-2026-53982 Cap-go Console < 12.28.2 Account Deletion DoS via Device Identifier Association

Cap-go Console 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the...

7.1CVSS5.9AI score0.00329EPSS
Exploits0References5
euvd
euvd
added 2026/06/12 3:42 p.m.13 views

EUVD-2026-36496

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

7.6CVSS5.3AI score0.00267EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/12 3:42 p.m.37 views

CVE-2026-53981 Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

7.6CVSS0.00267EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/06/12 3:42 p.m.13 views

CVE-2026-53981 Cap-go < v12.128.2 Account Takeover via Unauthenticated Email Change Mechanism

Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect...

7.6CVSS5.3AI score0.00267EPSS
Exploits0References3
cve
cve
added 2026/06/12 3:42 p.m.26 views

CVE-2026-53981

Cap-go prior to 12.128.2 contains an account-takeover vulnerability in its email-change mechanism. An attacker with a temporary authenticated session can change the registered email address without re-authentication (no password or MFA verification), redirect verification to an attacker-controlle...

7.6CVSS5.3AI score0.00267EPSS
Exploits0References3
Rows per page
Query Builder