EUVD-2026-38744

Capgo before 12.128.2 allows direct patching of public.apps.ownerorg through PostgREST, bypassing the transferapp workflow and creating split-brain ownership. Attackers can directly update apps.ownerorg while leaving appversions.ownerorg unchanged, enabling old-org keys to retain access to versio...

ROOT-APP-MAVEN-CVE-2026-24734 CVE-2026-24734 in io.root.org.apache.tomcat.embed:tomcat-embed-core - Patched by Root

Root has patched CVE-2026-24734 in the io.root.org.apache.tomcat.embed:tomcat-embed-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-48988 CVE-2025-48988 in io.root.org.apache.tomcat:tomcat-catalina - Patched by Root

Root has patched CVE-2025-48988 in the io.root.org.apache.tomcat:tomcat-catalina package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-42498 CVE-2026-42498 in io.root.org.apache.tomcat.embed:tomcat-embed-core - Patched by Root

Root has patched CVE-2026-42498 in the io.root.org.apache.tomcat.embed:tomcat-embed-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-49125 CVE-2025-49125 in io.root.org.apache.tomcat:tomcat-catalina - Patched by Root

Root has patched CVE-2025-49125 in the io.root.org.apache.tomcat:tomcat-catalina package for Root:Maven. Multiple fixed versions available...

WordPress XML Sitemap Generator for Google <2.0.4 - Cross-Site Scripting/Remote Code Execution

WordPress XML Sitemap Generator for Google plugin before 2.0.4 contains a cross-site scripting vulnerability that can lead to remote code execution. It does not validate a parameter which can be set to an arbitrary value, thus causing cross-site scripting via error message or remote code executio...

ROOT-APP-MAVEN-CVE-2024-22243 CVE-2024-22243 in io.root.org.springframework:spring-web - Patched by Root

Root has patched CVE-2024-22243 in the io.root.org.springframework:spring-web package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-22262 CVE-2024-22262 in io.root.org.springframework:spring-web - Patched by Root

Root has patched CVE-2024-22262 in the io.root.org.springframework:spring-web package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2024-22259 CVE-2024-22259 in io.root.org.springframework:spring-web - Patched by Root

Root has patched CVE-2024-22259 in the io.root.org.springframework:spring-web package for Root:Maven. Multiple fixed versions available...

CVE-2026-56255

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

EUVD-2026-38370

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

ROOT-APP-MAVEN-CVE-2025-41234 CVE-2025-41234 in io.root.org.springframework:spring-web - Patched by Root

Root has patched CVE-2025-41234 in the io.root.org.springframework:spring-web package for Root:Maven. Multiple fixed versions available...

xorg-x11-server: xorg-x11-server-Xwayland: xorg-x11-server: stack buffer overflow in XKB key types due to unchecked shift levels

A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel XkbNumKbdGroups but CheckKeyTypes does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift...

CVE-2026-56253

Capgo is affected by an improper access control vulnerability in the public.get_org_members RPC prior to version 12.128.2. unauthenticated attackers can enumerate organization members by calling the endpoint with a public sb_publishable_* key and an organization UUID, exposing emails, user IDs, r...

CVE-2026-56251 Capgo - Privilege Escalation via Broken Row Level Security in org_users

Capgo before 12.128.2 contains a broken row level security policy in the orgusers table that allows authenticated users to elevate privileges from admin to superadmin. Attackers can exploit the insufficient RLS enforcement to gain unauthorized superadmin access and compromise system security...

EUVD-2026-38117

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...

CVE-2026-56216

Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resourc...

CVE-2026-56216

Capgo before 12.128.2 is vulnerable to a scope escalation in POST /functions/v1/apikey where app-limited API keys can mint unrestricted keys by sending empty limits. An compromised app-limited key can create an org-wide, unrestricted key accessing resources such as app listings and protected endp...

PT-2026-51046

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description A scope escalation issue exists in the 'POST /functions/v1/apikey' endpoint. This allows users with app-limited API keys to generate unrestricted keys by providing empty limits. An attacker possessi...

CVE-2026-56079

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhookdeliveries endpoints to exfiltrate HMAC signing...