Lucene search
K

8 matches found

OSV
OSV
added 3 days ago3 views

CVE-2026-56296 Cap-go - App Existence Oracle via Unauthenticated transfer_app RPC

Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transferapp RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling...

6.9CVSS6.1AI score0.00239EPSS
Exploits0References4
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-56329 Capgo - Cross-Tenant Preview Namespace Collision via Non-Bijective Underscore Decoding

Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview...

6.4CVSS0.00237EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 11:53 a.m.9 views

CVE-2026-56337

Capgo before 12.128.2 has an information disclosure in the public.exist_app_v2 RPC function that lets unauthenticated attackers enumerate app_ids via POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters. This SECURITY DEFINER function can reveal whether specific app_ids exist in the pub...

6.9CVSS6AI score0.00261EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.32 views

CVE-2026-56302 Capgo - Unsecured Supabase Images Bucket via Missing Row Level Security

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS0.00208EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 11:53 a.m.11 views

EUVD-2026-38749

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs...

6.9CVSS5.9AI score0.00208EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/20 12:0 a.m.18 views

PT-2026-51157

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An information disclosure issue exists in the 'GET /statistics/app/:app id' endpoint. This allows users with app-limited API keys to identify existing sibling app IDs by analyzing differential error...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References9
EUVD
EUVD
added 2026/03/13 8:2 p.m.8 views

EUVD-2026-11696

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint...

6.5CVSS5.8AI score0.00276EPSS
Exploits0References4
OSV
OSV
added 2026/03/12 7:43 p.m.6 views

CVE-2026-32269 Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value ...

6.3CVSS5.8AI score0.00276EPSS
Exploits0References5
Rows per page
Query Builder