π¨ CVE-2026-54673
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers β most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) β were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.
π@cveNotify
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers β most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) β were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.
π@cveNotify
GitHub
fix: holistic field detection for `<text> (sha256 hash)` redaction (#β¦ Β· electron-userland/electron-builder@22a7532
β¦9834)
π¨ CVE-2026-54696
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an
attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.
π@cveNotify
Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) can write past the internal JSON generator buffer when a streamed object contains an
attacker-controlled string near 16 KB. Exploitation would result in a reliable process crash/denial of service. This issue has been fixed in version 2.19.9.
π@cveNotify
GitHub
Release v2.19.9 Β· ruby/json
Fix buffer overflow that could lead to a crash when writing JSON directly into an IO
with JSON.generate(object, io). [CVE-2026-54696].
Full Changelog: v2.19.8...v2.19.9
with JSON.generate(object, io). [CVE-2026-54696].
Full Changelog: v2.19.8...v2.19.9
π¨ CVE-2026-55223
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties β triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
π@cveNotify
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection() and ConnectionPoolDataSource.getPooledConnection() match the getXXX() form, so JavaBean libraries treat them as "properties" assumed safe while they actually call into JDBC drivers. Attackers can thus craft malicious DataSource objects whose property lookups invoke vulnerable drivers, then smuggle them in serialized form to where an application deserializes and auto-resolves bean properties β triggering the attack. This requires a susceptible DataSource/ConnectionPoolDataSource and JDBC driver on the CLASSPATH, plus a carrier that auto-looks-up JavaBean properties on = deserialization, most commonly a collection paired with an Apache commons-beanutils Comparator that sorts by bean properties. c3p0 supplied that susceptible DataSource/ConnectionPoolDataSource, which was an essential component of the trigger. This issue has been fixed in version 0.14.0.
π@cveNotify
GitHub
Generate BeanInfo classes for c3p0's DataSource and ConnectionPoolDat⦠· swaldman/c3p0@7b022c4
β¦aSource implemetations that forbid treating connection / pooledConnection as bean properties.
π¨ CVE-2026-55721
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
π@cveNotify
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
π@cveNotify
π¨ CVE-2026-56219
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.
π@cveNotify
Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attackers to retrieve RBAC role bindings and member email addresses. Attackers can exploit improper NULL comparison in the authorization gate to disclose organization membership, roles, and email addresses via the PostgREST RPC endpoint using only a public API key.
π@cveNotify
GitHub
Unauthenticated RBAC bindings + member email disclosure via get_org_user_access_rbac NULL-auth bypass
### Summary
Unauthenticated callers using only the public Supabase sb_publishable_* key can call public.get_org_user_access_rbac(p_user_id, p_org_id) and retrieve RBAC role bindings for organizati...
Unauthenticated callers using only the public Supabase sb_publishable_* key can call public.get_org_user_access_rbac(p_user_id, p_org_id) and retrieve RBAC role bindings for organizati...
π¨ CVE-2026-56224
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
π@cveNotify
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-controlled sessions, exposing tokens in browser history and logs.
π@cveNotify
GitHub
Login CSRF / Session Fixation: console.capgo.app/login accepts access_token + refresh_token in URL query and auto-authenticates
### Summary
https://console.capgo.app/login automatically authenticates a user when access_token and refresh_token are provided in the URL query string. Opening a crafted link in a fresh/incognito...
https://console.capgo.app/login automatically authenticates a user when access_token and refresh_token are provided in the URL query string. Opening a crafted link in a fresh/incognito...
π¨ CVE-2026-56230
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
π@cveNotify
Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited key ID to bypass authorization checks and access unauthorized cross-tenant resources across multiple API endpoints.
π@cveNotify
GitHub
High Severity BOLA/IDOR: x-limited-key-id enables cross-tenant limited-key adoption in middlewareKey()
### Summary
`middlewareKey()` in `supabase/functions/_backend/utils/hono_middleware.ts` accepts the client-controlled header `x-limited-key-id` and overrides the request auth context using the ref...
`middlewareKey()` in `supabase/functions/_backend/utils/hono_middleware.ts` accepts the client-controlled header `x-limited-key-id` and overrides the request auth context using the ref...
π¨ CVE-2026-56233
Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER_API_KEY header and resulting in server-side privilege escalation.
π@cveNotify
Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER_API_KEY header and resulting in server-side privilege escalation.
π@cveNotify
GitHub
SSRF and Privilege Escalation in Builder Upload Proxy via Path Traversal
### Summary
A path traversal vulnerability in the builder upload proxy allows an authenticated user with build permissions to perform unintended privileged requests to the internal builder service...
A path traversal vulnerability in the builder upload proxy allows an authenticated user with build permissions to perform unintended privileged requests to the internal builder service...
π¨ CVE-2026-56247
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.
π@cveNotify
Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.
π@cveNotify
GitHub
Org admins can assign org-level RBAC roles at app scope, including to pending invitees, leading to end-to-end privilege escalationβ¦
### Summary
The RBAC assignment endpoint `supabase/functions/_backend/private/role_bindings.ts` allows an org admin to create an **app-scoped** role binding using an **org-scoped** role such as ...
The RBAC assignment endpoint `supabase/functions/_backend/private/role_bindings.ts` allows an org admin to create an **app-scoped** role binding using an **org-scoped** role such as ...
π¨ CVE-2026-56249
Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations.
π@cveNotify
Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations.
π@cveNotify
GitHub
Unauthorized channel overwrite and ownership takeover via POST /channel name collision
### Summary
A user with permission to create channels (app.create_channel) can overwrite an existing channel by reusing its name. This overwrite also transfers channel ownership (created_by) to th...
A user with permission to create channels (app.create_channel) can overwrite an existing channel by reusing its name. This overwrite also transfers channel ownership (created_by) to th...
π¨ CVE-2026-56264
Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.
π@cveNotify
Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.
π@cveNotify
GitHub
GitHub - unclecode/crawl4ai: ππ€ Crawl4AI: Open-source LLM Friendly Web Crawler & Scraper. Don't be shy, join here: https://disβ¦
ππ€ Crawl4AI: Open-source LLM Friendly Web Crawler & Scraper. Don't be shy, join here: https://discord.gg/jP8KfhDhyN - unclecode/crawl4ai
π¨ CVE-2026-56277
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.
π@cveNotify
Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/src/controllers/text-to-speech/index.ts), independent of the server's configured CORS policy. This bypasses the server's otherwise restrictive default CORS configuration (getCorsOptions()) and allows any webpage to make cross-origin requests that trigger TTS generation using stored credentials, enabling drive-by cross-origin credential abuse.
π@cveNotify
GitHub
Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
### Summary
The TTS generation endpoint sets `Access-Control-Allow-Origin: *` as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make...
The TTS generation endpoint sets `Access-Control-Allow-Origin: *` as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make...
π¨ CVE-2026-56278
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
π@cveNotify
Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.
π@cveNotify
GitHub
Weak Default Express Session Secret
**Detection Method:** Kolega.dev Deep Code Scan
| Attribute | Value |
|---|---|
| Severity | Critical |
| CWE | CWE-798 (Use of Hard-coded Credentials) |
| Location | packages/server/src/ent...
| Attribute | Value |
|---|---|
| Severity | Critical |
| CWE | CWE-798 (Use of Hard-coded Credentials) |
| Location | packages/server/src/ent...
π¨ CVE-2026-56286
Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.
π@cveNotify
Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.
π@cveNotify
GitHub
Bug Report: Account Deletion Without Password Confirmation β No Re-Authentication Required to Delete Account
Bug Report: Account Deletion Without Password Confirmation β No Re-Authentication Required to Delete Account
Reported by: Vikash Gupta
Severity: High
Category: Authentication / Authorization ...
Reported by: Vikash Gupta
Severity: High
Category: Authentication / Authorization ...
π¨ CVE-2026-56300
Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.
π@cveNotify
Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.
π@cveNotify
GitHub
Unauthenticated Supabase RPCs expose API key validity + user/org permission oracles (get_user_id, get_org_perm_for_apikey)
## Summary
Two Supabase PostgREST RPC functions are **SECURITY DEFINER** and **executable by `anon`**. They allow an unauthenticated caller (using the public `sb_publishable_*` key) to:
- Validat...
Two Supabase PostgREST RPC functions are **SECURITY DEFINER** and **executable by `anon`**. They allow an unauthenticated caller (using the public `sb_publishable_*` key) to:
- Validat...
π¨ CVE-2026-56318
Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.
π@cveNotify
Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observing response status codes and error messages, allowing confirmation of organization existence.
π@cveNotify
GitHub
Unauthenticated org existence oracle via /private/validate_password_compliance
### Summary
/private/validate_password_compliance returns different errors for malformed vs non-existent vs existing org_id. This lets an unauthenticated user confirm whether an organization UUID ...
/private/validate_password_compliance returns different errors for malformed vs non-existent vs existing org_id. This lets an unauthenticated user confirm whether an organization UUID ...
π¨ CVE-2026-56320
Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.
π@cveNotify
Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.
π@cveNotify
GitHub
Authenticated org/app scope mismatch in /private/create_device allows device creation for an app using a foreign org_id
### Summary
POST /private/create_device accepts a caller-supplied org_id that does not belong to the target app_id, but still authorizes and persists device records for that app.
I confirmed th...
POST /private/create_device accepts a caller-supplied org_id that does not belong to the target app_id, but still authorizes and persists device records for that app.
I confirmed th...
π¨ CVE-2026-56327
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.
π@cveNotify
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable API key to determine if an organization ID exists based on NO_ORG versus NO_RIGHTS responses, enabling tenant enumeration attacks.
π@cveNotify
GitHub
Unauthenticated org existence oracle via public Supabase RPC public.invite_user_to_org(email, org_id, invite_type) (SECURITY DEFINER)
### Summary
The Supabase PostgREST RPC public.invite_user_to_org(email, org_id, invite_type) is publicly callable with the projectβs sb_publishable_* key and returns distinct results (NO_ORG vs NO...
The Supabase PostgREST RPC public.invite_user_to_org(email, org_id, invite_type) is publicly callable with the projectβs sb_publishable_* key and returns distinct results (NO_ORG vs NO...
π¨ CVE-2026-56328
Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.
π@cveNotify
Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests without defaultChannel implicitly resolve to a single hidden winner channel. An authorized app or channel manager can create ambiguous default update state and silently influence which bundle unnamed clients receive, breaking release routing integrity and predictability.
π@cveNotify
GitHub
Multiple same-platform public channels can coexist, while unnamed /updates selects a single implicit winner
### Summary
Capgo allows multiple `public=true` channels for the same app and same platform to coexist at the same time, but clients calling `/updates` without `defaultChannel` still resolve to ...
Capgo allows multiple `public=true` channels for the same app and same platform to coexist at the same time, but clients calling `/updates` without `defaultChannel` still resolve to ...
π¨ CVE-2026-56333
Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser, circumventing field-level validation checks for max_apikey_expiration_days and other security-sensitive configuration parameters.
π@cveNotify
Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser, circumventing field-level validation checks for max_apikey_expiration_days and other security-sensitive configuration parameters.
π@cveNotify
GitHub
Authenticated org admin can bypass /organization security-setting validation via direct browser-side public.orgs updates
### Summary
Capgoβs dashboard updates organization security settings directly from the browser against public.orgs, while the official backend /organization endpoint applies stricter server-side v...
Capgoβs dashboard updates organization security settings directly from the browser against public.orgs, while the official backend /organization endpoint applies stricter server-side v...
π¨ CVE-2026-56334
Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values.
π@cveNotify
Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-key and anonymous access from persisting builder status updates. Attackers can exploit this missing policy to cause build status and error details to remain unpersisted, leaving build_requests rows stuck in pending state with null last_error values.
π@cveNotify
GitHub
Build status is not persisted to build_requests (stuck pending, last_error never set) due to missing UPDATE RLS policy for APIβ¦
### Summary
/build/status returns the real builder status (failed) but the corresponding build_requests row stays status=pending and last_error=null. This prevents the dashboard from showing cor...
/build/status returns the real builder status (failed) but the corresponding build_requests row stays status=pending and last_error=null. This prevents the dashboard from showing cor...