Lucene search
+L

28 matches found

euvd
euvd
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40435

Capgo before 12.128.2 contains unauthenticated security definer RPC functions getuserid and getorgpermforapikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/06/30 10:8 p.m.5 views

CVE-2026-56300

Capgo before 12.128.2 contains unauthenticated security definer RPC functions getuserid and getorgpermforapikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/30 10:8 p.m.23 views

CVE-2026-56300 Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions

Capgo before 12.128.2 contains unauthenticated security definer RPC functions getuserid and getorgpermforapikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine...

8.7CVSS0.00349EPSS
Exploits0References2
cve
cve
added 2026/06/30 10:8 p.m.13 views

CVE-2026-56300

Capgo before 12.128.2 is affected by CVE-2026-56300 due to unauthenticated security definer RPCs (get_user_id, get_org_perm_for_apikey) that expose API key validity and user UUIDs. Attackers with a public API key can validate leaked keys, enumerate users and apps, and infer permission levels, inc...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References2
osv
osv
added 2026/06/30 10:8 p.m.3 views

CVE-2026-56300 Capgo - Unauthenticated API Key Validity and Permission Oracle via RPC Functions

Capgo before 12.128.2 contains unauthenticated security definer RPC functions getuserid and getorgpermforapikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine...

8.7CVSS5.9AI score0.00349EPSS
Exploits0References4
nvd
nvd
added 2026/06/21 2:16 p.m.15 views

CVE-2026-56242

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS0.00259EPSS
Exploits0References2
osv
osv
added 2026/06/21 1:26 p.m.4 views

CVE-2026-56242 Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

8.7CVSS5.9AI score0.00259EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/21 12:0 a.m.18 views

PT-2026-51221

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An unauthenticated security definer RPC function get identity apikey only returns the owning user id for supplied API keys. This creates an API key validity oracle—a mechanism that allows an attacke...

8.7CVSS5.8AI score0.00259EPSS
Exploits0References7
cve
cve
added 2026/01/21 10:29 p.m.21 views

CVE-2026-23996

CVE-2026-23996 concerns the FastAPI Api Key library. Version 1.1.0 is reported to expose a timing side-channel in verify_key(), where a random delay is applied only on verification failures. This enables an attacker to statistically distinguish valid from invalid API keys by measuring response la...

3.7CVSS5.6AI score0.00254EPSS
Exploits0References3Affected Software1
cnnvd
cnnvd
added 2026/01/21 12:0 a.m.11 views

FastAPI API Key security vulnerability

The FastAPI API Key is a secure key store developed by Athroniaeth’s individual developers. There is a security vulnerability in the FastAPI API Key version 1.1.0; this vulnerability stems from a timing side channel in the verifykey method, which may allow attackers to infer the validity of the A...

3.7CVSS5.8AI score0.00254EPSS
Exploits0References4
euvd
euvd
added 2025/10/07 12:30 a.m.6 views

EUVD-2019-6083

Malware in sbrugna...

5.3CVSS5.4AI score0.03012EPSS
Exploits1References4
osv
osv
added 2025/07/11 6:52 p.m.5 views

MGASA-2025-0206 Updated gnupg2 packages fix security vulnerabilities

Key validity not computed when key is certified by a trusted "certify-only" key regression due to patch for CVE-2025-30258...

6.7AI score
Exploits0References3
mageia
mageia
added 2025/07/11 6:52 p.m.6 views

Updated gnupg2 packages fix security vulnerabilities

Key validity not computed when key is certified by a trusted "certify-only" key regression due to patch for CVE-2025-30258...

7.3AI score
Exploits0References2
redhatcve
redhatcve
added 2025/05/23 12:7 a.m.20 views

CVE-2022-2572

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked...

9.8CVSS7.2AI score0.00833EPSS
Exploits0References1
mscve
mscve
added 2022/08/30 7:0 a.m.6 views

A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.

...

5.5CVSS5.9AI score0.00263EPSS
Exploits0
prion
prion
added 2021/06/24 2:15 p.m.29 views

Code injection

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might...

4CVSS6.4AI score0.01035EPSS
Exploits1References2Affected Software1
github
github
added 2021/04/13 3:13 p.m.30 views

Open redirect via transitional IPv6 addresses on dual-stack networks

Impact Requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. Outbound requests to federation, identity servers, when calculating the key validity for third-party invite events, sending push notifications, and generating URL...

6.3CVSS2.1AI score0.00894EPSS
Exploits0References8Affected Software1
ubuntucve
ubuntucve
added 2021/04/13 12:0 a.m.32 views

CVE-2021-23991

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might...

6.8CVSS6.8AI score0.01035EPSS
Exploits1References4
osv
osv
added 2021/04/12 10:15 p.m.24 views

CVE-2021-21392

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6...

6.3CVSS6.3AI score
Exploits0References4
redhatcve
redhatcve
added 2021/04/12 7:16 a.m.49 views

CVE-2021-23991

If a Thunderbird user has previously imported Alice's OpenPGP key, and Alice has extended the validity period of her key, but Alice's updated key has not yet been imported, an attacker may send an email containing a crafted version of Alice's key with an invalid subkey, Thunderbird might...

6.8CVSS2.1AI score0.01035EPSS
Exploits1References3
Rows per page
Query Builder