CVE-2026-56234 Capgo - Password Spraying via Public-Key Accessible Credential Validation Endpoint

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validatepasswordcompliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate...

EUVD-2026-38370

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.getcurrentplanmaxorg RPC function that allows unauthenticated attackers to retrieve arbitrary organization plan limits. Attackers can call the RPC endpoint with any organization UUID using only the public Supabase...

CVE-2025-65957

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...

CVE-2025-65957 Core Bot is Leaking Sensitive Credentials in Logs, Errors, and Messages

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...

CVE-2025-65957

Core Bot (open-source Discord bot for maple hospital servers) contained an information-disclosure vulnerability prior to commit dffe050, where API keys (SUPABASE_API_KEY, TOKEN) loaded from environment variables could be exposed in configuration summaries, logs, or embeds due to incomplete redact...