32 matches found
CVE-2026-56250 Capgo - Arbitrary R2 Object Deletion via Mutable r2_path in app_versions
Capgo before 12.128.2 allows upload-scoped API keys to modify the mutable appversions.r2path field through PostgREST, enabling retargeting to arbitrary R2 bundle objects. Attackers can patch r2path to point to victim objects, soft-delete the attacker-controlled version, and trigger the...
CVE-2026-56217 Capgo - Encrypted Bundle Policy Bypass via Direct PostgREST Update
Capgo before 12.128.2 contains a policy bypass vulnerability in appversions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the appversions table via PostgREST to clear sessionkey...
CVE-2026-56217
Capgo before 12.128.2 contains a policy bypass vulnerability in appversions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the appversions table via PostgREST to clear sessionkey...
CVE-2026-56217 Capgo - Encrypted Bundle Policy Bypass via Direct PostgREST Update
Capgo before 12.128.2 contains a policy bypass vulnerability in appversions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the appversions table via PostgREST to clear sessionkey...
CVE-2026-56314
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing appversions.deleted filter in channel version joins...
CVE-2026-56314 Capgo - Deleted Bundle Selection via Missing Deletion Filter in /updates Endpoint
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing appversions.deleted filter in channel version joins...
CVE-2026-56314
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing appversions.deleted filter in channel version joins...
EUVD-2026-38371
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing appversions.deleted filter in channel version joins...
CVE-2026-56314 Capgo - Deleted Bundle Selection via Missing Deletion Filter in /updates Endpoint
Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, allowing deleted bundles to remain selectable. Attackers can continue deploying deleted bundles to devices by exploiting the missing appversions.deleted filter in channel version joins...
PT-2026-51409
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.12 Description The software fails to filter deleted app versions when joining channels during the resolution of the '/updates' endpoint. This occurs due to a missing app versions.deleted filter in channel version...
@saltcorn/cli (>=1.6.0-alpha.0 <=1.6.0-beta.14), @saltcorn/mobile-builder (>=1.6.0-alpha.0 <=1.6.0-beta.14) potentially affected by CVE-2026-41478 via @saltcorn/mobile-app (>=1.6.0-alpha.0 <=1.6.0-beta.4)
@saltcorn/mobile-app NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.14 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNMOBILEAPP-16110990...
CVE-2025-12420
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update...
CVE-2025-12420
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update...
CVE-2025-12420 Unauthenticated Privilege Escalation in ServiceNow AI Platform
A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform. ServiceNow has addressed this vulnerability by deploying a relevant security update...
ABC Fine Wine & Spirits Android App 安全漏洞
ABC Fine Wine & Spirits Android App is a wine shopping app by ABC Fine Wine & Spirits. A security vulnerability exists in ABC Fine Wine & Spirits Android App v.11.27.5 and earlier versions, which stems from improper access control of the login mechanism and could lead to bypassing login checks an...
CVE-2025-48861
A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps...
@deck/app (>=1.0.1 <=1.4.11), octophant (=0.1.0) potentially affected by unknown CVE via rimraf-glob (=0.0.0)
rimraf-glob NPM version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on rimraf-glob and may be impacted: - @deck/app =1.0.1, =1.4.11 - octophant =0.1.0 Source cves: unknown CVE Source advisory: OSV:MAL-2025-32233...
CVE-2025-48861
A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps...
CVE-2025-48861
A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps...
CVE-2025-48861
CVE-2025-48861 describes a vulnerability in the Task API endpoint of the ctrlX OS setup mechanism, where an unauthenticated, remote attacker could access and exfiltrate internal application data (e.g., debug logs and the version of installed apps). Public sources consistently tie the issue to ina...