4 matches found
CVE-2026-56309
Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bund...
CVE-2026-56309 Capgo - Plan Bypass via Unrestricted Attachment Upload Endpoint
Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bund...
CVE-2026-56309
Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, enabling plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bund...
GHSA-9GJV-JVM7-VV2V Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users
Summary Users with the Guest role could receive private sub-object data e.g. private alternate names, private addresses, private note/citation/media handles through list API endpoints such as GET /api/people/, GET /api/places/, GET /api/events/, and all other object list endpoints. This does not...