1494 matches found
EUVD-2026-37897
Woodpecker gRPC agentid metadata can be spoofed- cross-tenant agent impersonation...
WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution
WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code executio...
CVE-2026-56313
Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.updatesettings permission and an active SSO provider can call...
ROOT-APP-MAVEN-CVE-2026-24734 CVE-2026-24734 in io.root.org.apache.tomcat.embed:tomcat-embed-core - Patched by Root
Root has patched CVE-2026-24734 in the io.root.org.apache.tomcat.embed:tomcat-embed-core package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2025-49125 CVE-2025-49125 in io.root.org.apache.tomcat:tomcat-catalina - Patched by Root
Root has patched CVE-2025-49125 in the io.root.org.apache.tomcat:tomcat-catalina package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-42498 CVE-2026-42498 in io.root.org.apache.tomcat.embed:tomcat-embed-core - Patched by Root
Root has patched CVE-2026-42498 in the io.root.org.apache.tomcat.embed:tomcat-embed-core package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2025-48988 CVE-2025-48988 in io.root.org.apache.tomcat:tomcat-catalina - Patched by Root
Root has patched CVE-2025-48988 in the io.root.org.apache.tomcat:tomcat-catalina package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2024-38827 CVE-2024-38827 in io.root.org.springframework.security:spring-security-core - Patched by Root
Root has patched CVE-2024-38827 in the io.root.org.springframework.security:spring-security-core package for Root:Maven. Multiple fixed versions available...
CVE-2026-56246 Capgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance
Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...
CVE-2026-56220 Capgo - Unauthorized Manifest Insertion via Read-Only Org Member
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3path values that are served to device...
xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: stack buffer overflow in font alias resolution due to libXfont2 name length mismatch
A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias...
xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: use-after-free in SyncChangeCounter()
A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter. A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or f...
CVE-2026-4375
The DoLeads Integrator WordPress plugin through 0.65, wp2epub WordPress plugin through 0.65 have been seen to be used to achieve RCE, once they are added adding to a blog, for example using a vulnerability where unclosed extensions from wordpress.org can be installed by unauthorized users...
CVE-2026-22555
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets...
CVE-2026-22555 Gitea organization forks can expose organization secrets without create permission
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets...
EUVD-2026-40627
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.getorguseraccessrbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose...
CVE-2026-56333
Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...
CVE-2026-56327
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call a SECURITY DEFINER function with a publishable API key to...
CVE-2026-56247
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...
CVE-2026-56247 Capgo - Privilege Escalation via Cross-Scope RBAC Role Assignment
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...