CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

118 matches found

CVE-2026-56248

Cap-go capgo capgo-backend before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the auditlogs table's Row-Level Security RLS policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejection,...

8.7CVSS

Exploits0References2

CVE•added yesterday•6 views

CVE-2026-56248

Cap-go capgo (capgo-backend) before 12.128.12 is affected. An unauthenticated DoS arises from the audit_logs table RLS policy when accessed via the Supabase PostgREST API; the query planner performs costly work before RLS rejection, so unfiltered public.audit_logs queries with the public anon key...

8.7CVSS5.9AI score

Exploits0References2

EUVD•added yesterday•6 views

EUVD-2026-38431

8.7CVSS5.9AI score

Exploits0References2

Cvelist•added yesterday•19 views

CVE-2026-56248 Capgo - Unauthenticated Denial-of-Service via audit_logs RLS Policy

8.7CVSS

Exploits0References2

CVE•added yesterday•6 views

CVE-2026-56243

Capgo before 12.128.2 has a security control bypass in the PostgREST/RLS plane: it accepts plaintext API keys via the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext keys directly to the PostgREST/RLS plane t...

8.6CVSS5.9AI score

Exploits0References2

Cvelist•added yesterday•17 views

CVE-2026-56243 Capgo - Hashed API Key Enforcement Bypass via PostgREST/RLS Plane

Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforcehashedapikeys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...

8.6CVSS

Exploits0References2

NVD•added 3 days ago•7 views

CVE-2026-56251

Capgo before 12.128.2 contains a broken row level security policy in the orgusers table that allows authenticated users to elevate privileges from admin to superadmin. Attackers can exploit the insufficient RLS enforcement to gain unauthorized superadmin access and compromise system security...

7CVSS0.00246EPSS

Exploits0References2

ATTACKERKB•added 3 days ago•4 views

CVE-2026-56251

7CVSS5.8AI score0.00246EPSS

Exploits0References3

CVE•added 3 days ago•11 views

CVE-2026-56251

Capgo before 12.128.2 contains a broken row-level security policy in the org_users table that can let authenticated users elevate privileges from admin to super_admin due to insufficient RLS enforcement, enabling unauthorized super_admin access and system compromise. The issue is documented with ...

7CVSS5.8AI score0.00246EPSS

Exploits0References2

Cvelist•added 3 days ago•27 views

CVE-2026-56251 Capgo - Privilege Escalation via Broken Row Level Security in org_users

7CVSS0.00246EPSS

Exploits0References2

EUVD•added 3 days ago•6 views

EUVD-2026-38168

7CVSS5.8AI score0.00246EPSS

Exploits0References2

CVE•added 3 days ago•10 views

CVE-2026-56239

Capgo CVE-2026-56239 affects Capgo before 12.128.2. The vulnerability lies in the public.apply_usage_overage SECURITY DEFINER function, which performs billing operations without validating authorization (no auth.uid(), org membership, or check_min_rights). Because the function runs with the owner...

7.6CVSS6AI score0.00199EPSS

Exploits0References2

ATTACKERKB•added 3 days ago•4 views

CVE-2026-56239

Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.applyusageoverage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks no validation of auth.uid, org membership, or checkminrights. Becaus...

7.6CVSS6AI score0.00199EPSS

Exploits0References3

EUVD•added 3 days ago•5 views

EUVD-2026-38166

7.6CVSS6AI score0.00199EPSS

Exploits0References2

Cvelist•added 2026/06/08 7:13 p.m.•32 views

CVE-2026-49141 WACRM Authorization Bypass via Automation Engine Endpoint

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

7.1CVSS0.00216EPSS

Exploits0References3

EUVD•added 2026/06/08 7:13 p.m.•8 views

EUVD-2026-35194

7.1CVSS5.6AI score0.00216EPSS

Exploits0References3

Positive Technologies•added 2026/06/08 12:0 a.m.•13 views

PT-2026-47450

Name of the Vulnerable Software and Affected Versions WACRM versions prior to commit 73041bf Description An authorization bypass exists in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants. By providing an arbitrary contact id in th...

7.1CVSS5.6AI score0.00216EPSS

Exploits0References5

Github Security Blog•added 2026/06/04 6:39 p.m.•7 views

OpenMeter: SQL injection through meter creation

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

6.1AI score0.00036EPSS

Exploits0References5Affected Software1

OSV•added 2026/04/03 1:27 p.m.•3 views

JLSEC-2026-47

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invok...

5.4CVSS6.6AI score0.00786EPSS

Exploits0References3