Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,326
Quick preset (or use dates below)
Clear Filters
Showing 21 - 40 of 83 CVEs
CVE-2026-56233 HIGH - 8.3

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access ...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56230 HIGH - 8.8

Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's lim...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56224 MEDIUM - 5.4

Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56219 HIGH - 7.5

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organi...

Vendor: Capgo
Product: Capgo
Published: Jun 30, 2026
Source: NVD
CVE-2026-56338 MEDIUM - 5.3

Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents email verification for two-factor authentication due to captcha validation failures. Authenticated users cannot complete 2FA enrollment as the backend consistently returns HTTP 500 errors with...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56337 MEDIUM - 5.3

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function that allows unauthenticated attackers to enumerate app_ids by calling POST /rest/v1/rpc/exist_app_v2 with arbitrary appid parameters. Remote attackers can exploit this SECURITY DEFINER func...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56310 MEDIUM - 4.3

Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, image_url, role, and is_tmp from...

Vendor: Cap-go
Product: capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56302 MEDIUM - 6.5

Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing unauthenticated attackers to read, insert, and delete stored app icons. Remote attackers can exploit this misconfiguration to delete all icons and leak sensitive app IDs and user IDs.

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56257 HIGH - 7.1

Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.owner_org while leaving app_versions.owner_org unchanged, enabling old-org keys to retain access to ve...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56256 HIGH - 7.1

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g., editing organization details, inviting users) do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can r...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56245 HIGH - 8.2

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/record_build_time with a public A...

Vendor: Cap-go
Product: capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56244 HIGH - 7.1

Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to configu...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56237 CRITICAL - 9.1

Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API keys are exposed in frontend requests, and the backend fails to validate that keys are securely generated and bound to the authenticated user. An attacker can tamper with the API key paramet...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56232 HIGH - 8.8

Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewareKey function. Attackers can bypass subkey scope restrictions by referencing their own subkeys, causing all downstream route handlers to use the unrestri...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56231 HIGH - 7.6

Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request based only on the attacker-controlled app_id supplied in the request body and never verify that the jobI...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56223 HIGH - 8.7

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a malic...

Vendor: Capgo
Product: Capgo
Published: Jun 24, 2026
Source: NVD
CVE-2026-56322 HIGH - 7.5

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attackers ...

Vendor: Capgo
Product: Capgo
Published: Jun 23, 2026
Source: NVD
CVE-2026-56248 HIGH - 7.5

Cap-go capgo (capgo-backend) before 12.128.12 contains an unauthenticated denial-of-service vulnerability arising from the audit_logs table's Row-Level Security (RLS) policy when accessed via the Supabase PostgREST API. Because the PostgreSQL query planner executes costly logic before RLS rejec...

Vendor: Cap-go
Product: capgo
Published: Jun 23, 2026
Source: NVD
CVE-2026-56243 HIGH - 8.1

Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts plaintext API keys through the capgkey header despite enforce_hashed_api_keys being enabled. Attackers can bypass org-level hashed-key enforcement by sending plaintext API keys directly to th...

Vendor: Capgo
Product: Capgo
Published: Jun 23, 2026
Source: NVD
CVE-2026-56234 MEDIUM - 5.3

Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validate_password_compliance endpoint that is callable using only the public Supabase key without authentication. The endpoint is CORS-permissive with wildcard origin allowance and lacks rate limit...

Vendor: Capgo
Product: Capgo
Published: Jun 23, 2026
Source: NVD