Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20412
Total
1466
Critical
6188
High
6493
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-56328 | MEDIUM | 6.5 | Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to … | Jun 30, 2026 |
| CVE-2026-56327 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error … | Jun 30, 2026 |
| CVE-2026-56320 | HIGH | 7.1 | Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. … | Jun 30, 2026 |
| CVE-2026-56318 | MEDIUM | 5.3 | Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated … | Jun 30, 2026 |
| CVE-2026-56300 | HIGH | 7.5 | Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using … | Jun 30, 2026 |
| CVE-2026-56286 | HIGH | 8.1 | Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete … | Jun 30, 2026 |
| CVE-2026-56278 | CRITICAL | 9.1 | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is … | Jun 30, 2026 |
| CVE-2026-56277 | UNKNOWN | — | Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This … | Jun 30, 2026 |
| CVE-2026-56264 | HIGH | 8.1 | Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the … | Jun 30, 2026 |
| CVE-2026-56249 | HIGH | 7.6 | Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. … | Jun 30, 2026 |
| CVE-2026-56247 | HIGH | 8.8 | Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can … | Jun 30, 2026 |
| CVE-2026-56233 | HIGH | 8.3 | Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers … | Jun 30, 2026 |
| CVE-2026-56230 | HIGH | 8.8 | Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to … | Jun 30, 2026 |
| CVE-2026-56224 | MEDIUM | 5.4 | Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims … | Jun 30, 2026 |
| CVE-2026-56219 | HIGH | 7.5 | Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. … | Jun 30, 2026 |
| CVE-2026-55721 | CRITICAL | 9.3 | Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated … | Jun 30, 2026 |
| CVE-2026-55223 | UNKNOWN | — | c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization … | Jun 30, 2026 |
| CVE-2026-54696 | LOW | 3.7 | Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with … | Jun 30, 2026 |
| CVE-2026-54673 | UNKNOWN | — | electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched … | Jun 30, 2026 |
| CVE-2026-54672 | HIGH | 7.8 | electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the … | Jun 30, 2026 |
| CVE-2026-52198 | HIGH | 7.5 | Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component | Jun 30, 2026 |
| CVE-2026-52197 | HIGH | 7.5 | An issue in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_44af70 component | Jun 30, 2026 |
| CVE-2026-52195 | HIGH | 7.5 | Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_472f08 component | Jun 30, 2026 |
| CVE-2026-52193 | HIGH | 7.5 | Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_447CAC component | Jun 30, 2026 |
| CVE-2026-50110 | CRITICAL | 9.2 | Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded … | Jun 30, 2026 |