CVE-2026-56234

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

CVE-2026-56234

Capgo prior to 12.128.2 exposes a credential validation endpoint (POST /functions/v1/private/validate_password_compliance) that is accessible with only the public Supabase key and lacks authentication. The endpoint uses permissive CORS with a wildcard origin and has no rate limiting, which enable...

EUVD-2026-38428

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers get/put/delete/post. API keys created with mode=all but restricted to a single app via limitedtoapps are only checked for limitedtoorgs and not for limitedtoapps, so an app-scoped key ca...

CVE-2026-56311

Capgo (before 12.128.2) contains an authorization bypass in public.get_current_plan_max_org RPC that allows unauthenticated access to arbitrary organization plan limits. An attacker can call the RPC with any organization UUID using only the public Supabase key to disclose billing information (MAU...

EUVD-2026-38370

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key

A flaw was found in openssl. Applications that use RSASVE key encapsulation, a method for securely exchanging encryption keys, may inadvertently expose sensitive data. This vulnerability arises when an application processes a malicious, invalid RSA public key provided by an attacker without prope...

openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key

A flaw was found in openssl. Applications that use RSASVE key encapsulation, a method for securely exchanging encryption keys, may inadvertently expose sensitive data. This vulnerability arises when an application processes a malicious, invalid RSA public key provided by an attacker without prope...

Moderate: Red Hat Security Advisory: openssl-fips-provider security update

An update for openssl-fips-provider is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

openssl: openssl: Information Disclosure from Uninitialized Memory via Invalid RSA Public Key

A flaw was found in openssl. Applications that use RSASVE key encapsulation, a method for securely exchanging encryption keys, may inadvertently expose sensitive data. This vulnerability arises when an application processes a malicious, invalid RSA public key provided by an attacker without prope...

CVE-2026-56235

Cap-go capgo prior to 12.128.2 exposes an authorization bypass in multiple Supabase PostgREST RPC functions (get_app_metrics, get_global_metrics, get_total_metrics) granted to anon without org membership or permission checks. An unauthenticated attacker with only the public Supabase API key (sb_p...

PT-2026-50568

Name of the Vulnerable Software and Affected Versions Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0 Description Steeltoe is an open source project providing libraries for building cloud-native applications. An issue exists where configuring the encrypt:rsa:algorithm variable with...

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

EUVD-2026-32917

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed...

PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed

!NOTE Exploitation requires a verifier configured with both symmetric and asymmetric algorithms in algorithms=… and a raw-JSON JWK as the key= argument, both contrary to documented usage, hence the High attack-complexity rating. Summary When the verifier is decoding JSON Web Tokens, while...

python-pyjwt: PyJWT: Authentication bypass due to forged JSON Web Tokens

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. When decoding JWTs, the library fails to validate the use of JSON Web Keys JWK in the HMAC algorithm while also supporting asymmetric algorithms. This allows a remote attacker to use the issuer's public key as the...

SUSE CVE-2026-42768

Issue summary: The CMSdecrypt and PKCS7decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the...

MAL-2026-5695 Malicious code in internallib_v984 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3c46879ad94169111411f91b210779628bb14a5d16843ec2bec42bf418affdf8 Package exports a single command function that, when invoked, performs three coordinated attacks against the host: 1 appends a hardcoded...

CVE-2026-41005

Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider confidentiality as a substitute for XML signatures from the Identity Provider authenticity in two SAML flows: the OAuth 2.0 SAML2 bearer grant token endpoint and browser SSO ACS when wantAssertionSigned is set to false...

CVE-2026-41005 UAA accepts SAML Encrypted Assertions authentication bypass

Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider confidentiality as a substitute for XML signatures from the Identity Provider authenticity in two SAML flows: the OAuth 2.0 SAML2 bearer grant token endpoint and browser SSO ACS when wantAssertionSigned is set to false...

openssl: PKCS#12 Files with PBMAC1 Are Accepted with Short HMAC Keys

A flaw was found in OpenSSL. This vulnerability allows a remote attacker to forge PKCS12 Public-Key Cryptography Standards 12 files that use Password-Based Message Authentication Code 1 PBMAC1 with short HMAC Hash-based Message Authentication Code keys. This can lead to a service accepting...