Lucene search
K

10 matches found

EUVD
EUVD
added 5 hours ago5 views

EUVD-2026-40627

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...

8.7CVSS5.7AI score
Exploits0References3
CVE
CVE
added yesterday4 views

CVE-2026-56219

Capgo before 12.128.2 contains a NULL-auth bypass in public.get_org_user_access_rbac that allows unauthenticated attackers to disclose RBAC role bindings and member email addresses. The issue arises from improper NULL comparison in the authorization gate, enabling disclosure of organization membe...

8.7CVSS5.7AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.15 views

PT-2026-51223

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Improper access control in the public.get org members RPC function allows unauthenticated attackers to enumerate organization members. By using a public sb publishable key and an organization UUID,...

8.7CVSS5.9AI score0.00249EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/12 6:11 p.m.26 views

CVE-2026-47236 Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

4.3CVSS0.00183EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:11 p.m.12 views

CVE-2026-47236

CVE-2026-47236 affects the Solidtime open‑source time-tracking app prior to version 0.12.2. The root cause is insufficient access control in the Jetstream-backed team page: invitations:view and members:view permissions gate the official APIs, but the Jetstream page authorizes access with only bel...

4.3CVSS5.3AI score0.00183EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 6:11 p.m.9 views

CVE-2026-47236 Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

4.3CVSS5.2AI score0.00183EPSS
Exploits0References2
NVD
NVD
added 2025/11/10 10:15 p.m.3 views

CVE-2025-64504

Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on th...

5CVSS0.00297EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2025/11/10 9:51 p.m.3 views

CVE-2025-64504 Langfuse vulnerable to cross‑organization enumeration of member & invitation lists via project membership APIs

Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on th...

5CVSS6.3AI score0.00297EPSS
Exploits0References6
CVE
CVE
added 2025/11/10 9:51 p.m.15 views

CVE-2025-64504

Langfuse vulnerability CVE-2025-64504 affects 2.70.0–2.95.10 and 3.0.0–3.124.0. The issue stems from the server trusting a user‑controlled orgId in project membership APIs, allowing any authenticated user on the same instance to enumerate member names and email addresses from other organizations ...

5CVSS6.4AI score0.00297EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2025/11/10 9:51 p.m.8 views

CVE-2025-64504 Langfuse vulnerable to cross‑organization enumeration of member & invitation lists via project membership APIs

Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2.95.11 and 3.124.1, in certain project membership APIs, the server trusted a user‑controlled orgId and used it in authorization checks. As a result, any authenticated user on th...

5CVSS0.00297EPSS
Exploits0References6
Rows per page
Query Builder