|
1611
|
8.8 |
HIGH
Network
|
-
|
-
|
Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope res…
|
CWE-863
Incorrect Authorization
|
CVE-2026-56232
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1612
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are se…
|
CWE-287
Improper Authentication
|
CVE-2026-56237
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1613
|
7.1 |
HIGH
Network
|
-
|
-
|
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the web…
|
CWE-200
Information Exposure
|
CVE-2026-56244
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1614
|
8.2 |
HIGH
Network
|
-
|
-
|
Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-ti…
|
CWE-269
Improper Privilege Management
|
CVE-2026-56245
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1615
|
7.1 |
HIGH
Network
|
-
|
-
|
Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do …
|
CWE-602
Client-Side Enforcement of Server-Side Security
|
CVE-2026-56256
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1616
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers ca…
|
CWE-284
Improper Access Control
|
CVE-2026-56302
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1617
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/…
|
CWE-200
Information Exposure
|
CVE-2026-56337
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1618
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authen…
|
CWE-703
Improper Check or Handling of Exceptional Conditions
|
CVE-2026-56338
|
2026-06-25 23:03 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1619
|
10.0 |
CRITICAL
Network
|
-
|
-
|
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP me…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-12485
|
2026-06-25 23:02 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1620
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…
|
CWE-78
OS Command
|
CVE-2026-12486
|
2026-06-25 23:02 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
