3 matches found
CVE-2026-56235
Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...
CVE-2026-56235
Cap-go capgo prior to 12.128.2 exposes an authorization bypass in multiple Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) granted to anon without org membership or permission checks. An unauthenticated attacker with only the public Supabase API key (sb_p...
CVE-2025-60427
LibreTime 3.0.0-alpha.10 and possibly earlier is vulnerable to Broken Access Control, where a user with the DJ role can access analytics data via the Web UI and direct API calls. The backend does not verify role-based permissions for analytics endpoints, allowing unauthorized retrieval of...