Lucene search
K

244 matches found

EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40439

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update stat...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-40440

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40428

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling acce...

8.7CVSS5.8AI score0.00451EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-40627

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...

8.7CVSS5.7AI score0.00341EPSS
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-56320

Capgo before 12.128.2 contains an authorization flaw in POST /private/createdevice that accepts a caller-supplied orgid parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization...

7.1CVSS0.00222EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-56333

Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...

5.3CVSS0.00234EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-56327

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...

6.9CVSS0.00261EPSS
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-56328

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update stat...

7.1CVSS0.00247EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-56247

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...

8.8CVSS0.00303EPSS
Exploits0References2
NVD
NVD
added 3 days ago6 views

CVE-2026-56249

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.createchannel permission can exploit a logic mismatch between existence validation and...

7.6CVSS0.00257EPSS
Exploits0References2
NVD
NVD
added 3 days ago4 views

CVE-2026-56300

Capgo before 12.128.2 contains unauthenticated security definer RPC functions getuserid and getorgpermforapikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine...

8.7CVSS0.00349EPSS
Exploits0References2
NVD
NVD
added 3 days ago5 views

CVE-2026-56219

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...

8.7CVSS0.00341EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-56233

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling acce...

8.7CVSS0.00451EPSS
Exploits0References2
CVE
CVE
added 3 days ago7 views

CVE-2026-56334

Capgo before 12.128.2 is affected by an insufficient UPDATE row-level security (RLS) policy on the build_requests table. The missing policy allows API-key and anonymous access to persist builder status updates to be blocked or unpersisted, resulting in build status and error details remaining in ...

5.3CVSS5.8AI score0.00192EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago24 views

CVE-2026-56334 Capgo - Missing UPDATE RLS Policy for Build Status Persistence

Capgo before 12.128.2 lacks an UPDATE row-level security policy for the buildrequests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving buildreques...

5.3CVSS0.00192EPSS
Exploits0References2
CVE
CVE
added 3 days ago7 views

CVE-2026-56333

Capgo before 12.128.2 is affected by a server-side validation bypass in organization security settings. The vulnerability lets authenticated org admins bypass backend validation by directly updating the public.orgs table from the browser, bypassing field-level checks such as max_apikey_expiration...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References2
CVE
CVE
added 3 days ago6 views

CVE-2026-56328

Capgo before 12.128.2 is affected by an integrity issue where multiple public channels for the same app/platform can coexist, and unnamed /updates requests without a defaultChannel may resolve to a hidden winner channel. An authorized app or channel manager can create an ambiguous default update ...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-56331

Capgo before 12.128.2 is affected by improper error handling in the /private/accept_invitation endpoint. The vulnerability causes HTTP 500 errors instead of safe 4xx responses when magic_invite_string is invalid, potentially leaking internal processing details. Attackers can trigger this using on...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago21 views

CVE-2026-56331 Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String

Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...

6.9CVSS0.0025EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-56327

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call a SECURITY DEFINER function with a publishable API key to...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References2
Rows per page
Query Builder