4 matches found
CVE-2026-56221
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can injec...
CVE-2026-56316 Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/ endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to...
CVE-2026-56307 Cap-go - Broken Cursor Pagination in /private/devices Endpoint
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...
PT-2026-51036
Name of the Vulnerable Software and Affected Versions Cap-go versions prior to 12.128.2 Description An authentication bypass exists in the OTP One-Time Password verification process. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely indicate that...