Lucene search
K

5484 matches found

EUVD
EUVD
added 9 hours ago4 views

EUVD-2026-40436

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validatepasswordcompliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observi...

6.9CVSS5.8AI score
Exploits0References3
EUVD
EUVD
added 9 hours ago4 views

EUVD-2026-40437

Capgo before 12.128.2 contains an authorization flaw in POST /private/createdevice that accepts a caller-supplied orgid parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization...

7.1CVSS5.8AI score
Exploits0References3
EUVD
EUVD
added 9 hours ago3 views

EUVD-2026-40438

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...

6.9CVSS5.8AI score
Exploits0References3
EUVD
EUVD
added 9 hours ago4 views

EUVD-2026-40429

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...

8.8CVSS5.8AI score
Exploits0References3
CVE
CVE
added yesterday2 views

CVE-2026-56333

Capgo before 12.128.2 is affected by a server-side validation bypass in organization security settings. The vulnerability lets authenticated org admins bypass backend validation by directly updating the public.orgs table from the browser, bypassing field-level checks such as max_apikey_expiration...

5.3CVSS5.8AI score
Exploits0References2
CVE
CVE
added yesterday4 views

CVE-2026-56327

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call a SECURITY DEFINER function with a publishable API key to...

6.9CVSS5.8AI score
Exploits0References2
CVE
CVE
added yesterday4 views

CVE-2026-56320

Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id without validating it matches the target app’s owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier...

7.1CVSS5.8AI score
Exploits0References2
CVE
CVE
added yesterday5 views

CVE-2026-56318

Capgo before 12.128.2 is affected by an information disclosure vulnerability in /private/validate_password_compliance that lets unauthenticated attackers enumerate valid organization UUIDs via differing responses for malformed, non-existent, and existing IDs. Impact is confidentiality exposure; r...

6.9CVSS5.8AI score
Exploits0References2
CVE
CVE
added yesterday5 views

CVE-2026-56247

Capgo prior to version 12.128.2 contains a privilege-escalation flaw where org admins can assign org-scoped RBAC roles at the app scope without validating role-scope compatibility, including assignments to pending invitees . Attackers can pre-seed malformed high-privilege bindings that survive in...

8.8CVSS5.8AI score
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-9106

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...

4.8CVSS
Exploits0References5
CVE
CVE
added yesterday7 views

CVE-2026-9106

A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...

4.8CVSS5.8AI score
Exploits0References5
CVE
CVE
added yesterday9 views

CVE-2026-58373

CVAT before version 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that lets authenticated attackers enumerate quality report identifiers across organizations by exploiting a missing check_object_permissions on the parent_id parameter of the quality r...

5.3CVSS5.8AI score
Exploits0References4
EUVD
EUVD
added yesterday4 views

EUVD-2026-40361

CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.getqueryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing checkobjectpermissions call on the parentid query parameter ...

5.3CVSS5.8AI score
Exploits0References4
CVE
CVE
added yesterday7 views

CVE-2026-58369

Woodpecker

6.9CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday4 views

PT-2026-54021

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authentication bypass exists due to an improper NULL comparison in the authorization gate. Unauthenticated attackers can exploit this by using a public API key to access the PostgREST RPC endpoin...

8.7CVSS5.8AI score
Exploits0References4
Positive Technologies
Positive Technologies
added yesterday3 views

PT-2026-54037

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Authenticated organization administrators can bypass server-side validation within organization security settings to persist an invalid security policy state. This is achieved by directly updating t...

5.3CVSS5.8AI score
Exploits0References4
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40141

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-57956 SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS0.00177EPSS
Exploits0References2
CVE
CVE
added 2 days ago11 views

CVE-2026-57956

SigNoz

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Nuclei
Nuclei
added 2 days ago4 views

Gogs < 0.14.3 - Unauthenticated Organization Teams Disclosure

Gogs before version 0.14.3 contains an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint returns all teams for any organization without requiring authentication. The route group lacks the reqToken middleware, exposing team IDs, names, descriptions,...

6.9CVSS5.8AI score0.01553EPSS
Exploits0References2
Rows per page
Query Builder