CVE-2026-56234

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

CVE-2026-56234

Capgo prior to 12.128.2 exposes a credential validation endpoint (POST /functions/v1/private/validate_password_compliance) that is accessible with only the public Supabase key and lacks authentication. The endpoint uses permissive CORS with a wildcard origin and has no rate limiting, which enable...

CVE-2026-56255

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

CVE-2026-42604

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

CVE-2026-42604 Actual has an OpenID `client_secret` Disclosure via Broken Authorization Guard in `/openid/config`

Actual is a local-first personal finance tool. The POST /openid/config endpoint in Actual Budget's sync-server versions = 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 clientsecret—to any caller who knows the bootstrap password. The endpoint also lacks authentication a...

CVE-2026-42604

The CVE concerns Actual Budget’s sync-server (local-first Personal Finance tool). Versions ≤ 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 client_secret, via POST /openid/config to callers who know the bootstrap password. The endpoint lacks authentication and rate limi...

EUVD-2026-35107

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2...

CVE-2026-46440 Flowise: Basic Auth Credentials Exposed via API

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2...

CVE-2026-46440

Flowise CVE-2026-46440 affects Flowise versions before 3.1.2. The vulnerability is in the checkBasicAuth endpoint, which validates credentials in plaintext using direct comparison and without rate limiting. This can enable credential brute-forcing and enumeration, potentially granting access to t...

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

CVE-2026-33877

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...

CVE-2026-40498

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can access diagnostic and system tools that should be restricted to administrators. The /system/cron endpoint relies on a static MD5 hash derived from the APPKEY, which is exposed i...

CVE-2026-36607

Mercusys AC12G (EU) V1 router, firmware AC12G(EU)_V1_200909, is affected by CVE-2026-36607. The TDDP password change endpoint (code=10) allows unauthenticated brute-force attempts without rate limiting, unlike the login endpoint (code=7). An attacker on an adjacent network can attempt unlimited p...

EUVD-2026-34146

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

CVE-2026-36607

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint code=10, which lacks the rate limiting applied to the login endpoint code=7. An attacker on the adjacent network can attempt unlimited passwords without...

YAMCS yamcs-core 5.12.7 - No Rate Limiting

Exploit Title: YAMCS yamcs-core 5.12.7 - No Rate Limiting Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https://yamcs.org Software Link: https://github.com/yamcs/yamcs Version: 5.12.7 Tested on: Linux CVE: CVE-2026-44596 Category: Remote / Brute Force...

Exploit for CVE-2026-44596

CVE-2026-44596 — YAMCS No Rate Limiting on Authentication Endp...

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...

CVE-2026-48524

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...