๐จ CVE-2026-15483
A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function sub_41EC14 of the file /goform/tools_nslookup of the component ssi. The manipulation of the argument nslookup_target leads to buffer overflow. It is possible to initiate the attack remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function sub_41EC14 of the file /goform/tools_nslookup of the component ssi. The manipulation of the argument nslookup_target leads to buffer overflow. It is possible to initiate the attack remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
IOT_Firmware_Update/Trendnet/TEW-821DAP_BO2.md at main ยท IOTRes/IOT_Firmware_Update
Contribute to IOTRes/IOT_Firmware_Update development by creating an account on GitHub.
๐จ CVE-2026-15484
A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. The affected element is the function sub_41EC14 of the file /goform/tools_nslookup of the component ssi. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. The affected element is the function sub_41EC14 of the file /goform/tools_nslookup of the component ssi. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
IOT_Firmware_Update/Trendnet/TEW-821DAP_BO3.md at main ยท IOTRes/IOT_Firmware_Update
Contribute to IOTRes/IOT_Firmware_Update development by creating an account on GitHub.
๐จ CVE-2026-15485
A flaw has been found in TRENDnet TEW-821DAP 1.11B03. The impacted element is the function sub_43F2C4 of the file /goform/tools_nslookup of the component DNS Lookup Handler. This manipulation of the argument nslookup_target/dns_server causes os command injection. The attack can be initiated remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A flaw has been found in TRENDnet TEW-821DAP 1.11B03. The impacted element is the function sub_43F2C4 of the file /goform/tools_nslookup of the component DNS Lookup Handler. This manipulation of the argument nslookup_target/dns_server causes os command injection. The attack can be initiated remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
IOT_Firmware_Update/Trendnet/TEW-821DAP_CI3.md at main ยท IOTRes/IOT_Firmware_Update
Contribute to IOTRes/IOT_Firmware_Update development by creating an account on GitHub.
๐จ CVE-2026-15486
A vulnerability has been found in TRENDnet TEW-821DAP 1.11B03. This affects the function sub_42026C of the file /goform/tools_ddns of the component Firmware Update Handler. Such manipulation of the argument hostname/username/password leads to os command injection. The attack can be launched remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A vulnerability has been found in TRENDnet TEW-821DAP 1.11B03. This affects the function sub_42026C of the file /goform/tools_ddns of the component Firmware Update Handler. Such manipulation of the argument hostname/username/password leads to os command injection. The attack can be launched remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
IOT_Firmware_Update/Trendnet/TEW-821DAP_CI4.md at main ยท IOTRes/IOT_Firmware_Update
Contribute to IOTRes/IOT_Firmware_Update development by creating an account on GitHub.
๐จ CVE-2026-15487
A vulnerability was found in TRENDnet TEW-821DAP 1.11B03. This impacts the function sub_41FBD0 of the file /goform/system_ntp of the component Firmware Update Handler. Performing a manipulation of the argument Hostname results in os command injection. The attack may be initiated remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A vulnerability was found in TRENDnet TEW-821DAP 1.11B03. This impacts the function sub_41FBD0 of the file /goform/system_ntp of the component Firmware Update Handler. Performing a manipulation of the argument Hostname results in os command injection. The attack may be initiated remotely. The vendor explains: "We are unable to confirm the existence of the vulnerabilities for (...) TEW-821DAP (v1.0R) as these items have been EOL. " This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
IOT_Firmware_Update/Trendnet/TEW-821DAP_CI5.md at main ยท IOTRes/IOT_Firmware_Update
Contribute to IOTRes/IOT_Firmware_Update development by creating an account on GitHub.
๐จ CVE-2026-15488
A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3. Affected is the function FileController::upload of the file app/common/controller/FileController.php. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.4 is able to address this issue. This patch is called 3ecde28ea8a20a3840dbfefd6d6863ee79a83e70. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was determined in hcr707305003 shiroiAdmin 1.1/1.3. Affected is the function FileController::upload of the file app/common/controller/FileController.php. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 1.4 is able to address this issue. This patch is called 3ecde28ea8a20a3840dbfefd6d6863ee79a83e70. It is suggested to upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
GitHub - hcr707305003/shiroiAdmin: ShiroiAdmin ๏ผๅบไบThinkPHP6.0 + AdminLTE3.2 ็ๅๅฐ็ฎก็็ณป็ป
ShiroiAdmin ๏ผๅบไบThinkPHP6.0 + AdminLTE3.2 ็ๅๅฐ็ฎก็็ณป็ป. Contribute to hcr707305003/shiroiAdmin development by creating an account on GitHub.
๐จ CVE-2026-15489
A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this vulnerability is an unknown functionality of the file proses/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this vulnerability is an unknown functionality of the file proses/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-15489 in TOKO-ONLINE-ROTI
A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This vulnerability is referenced as CVE-2026-15489.
๐จ CVE-2026-15490
A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this issue is some unknown functionality of the file proses/add.php. The manipulation of the argument kode_produk/kd_cs results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this issue is some unknown functionality of the file proses/add.php. The manipulation of the argument kode_produk/kd_cs results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-15490 in TOKO-ONLINE-ROTI
A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This vulnerability is identified as CVE-2026-15490.
๐จ CVE-2026-15491
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-15491 in TOKO-ONLINE-ROTI
A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This vulnerability is tracked as CVE-2026-15491.
๐จ CVE-2026-15492
A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability affects unknown code of the file dashboard/studentConductManager.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability affects unknown code of the file dashboard/studentConductManager.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-15492 in wizgrade
A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability is listed as CVE-2026-15492.
๐จ CVE-2026-15493
A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee. This issue affects some unknown processing of the file absent.php. Performing a manipulation of the argument export_date results in cross site scripting. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee. This issue affects some unknown processing of the file absent.php. Performing a manipulation of the argument export_date results in cross site scripting. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-15493 in Attendance-Management-System
A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee. This vulnerability is cataloged as CVE-2026-15493.
๐จ CVE-2026-15494
A flaw has been found in AMTT Hotel Broadband Operation System 1.0. Impacted is an unknown function of the file manager/network/switch_status.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A flaw has been found in AMTT Hotel Broadband Operation System 1.0. Impacted is an unknown function of the file manager/network/switch_status.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
Anmei Digital Hotel Broadband Operating System Has SQL Injection Vulnerability ยท Issue #4 ยท MichaelZhuang521/cve
Affected version: Anmei Digital Hotel Broadband Operating System Has SQL Injection Vulnerability Official website: http://www.amttgroup.com/ Vulnerability File: manager/network/switch_status.php De...
๐จ CVE-2026-15495
A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2. The affected element is an unknown function of the file AndroidWSServer.java of the component Android WebSocket Server. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A vulnerability has been found in SonicCloudOrg sonic-agent up to 2.7.2. The affected element is an unknown function of the file AndroidWSServer.java of the component Android WebSocket Server. The manipulation of the argument path leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
CVE_APPLY/V-S003_SonicAgent_pullFile_CmdInjection_RCE/poc_pullfile_rce.py at main ยท xpp3901/CVE_APPLY
cve็ณ่ฏท. Contribute to xpp3901/CVE_APPLY development by creating an account on GitHub.
๐จ CVE-2026-15496
A vulnerability was found in SonicCloudOrg sonic-agent up to 2.7.2. The impacted element is the function evalIsFailed of the file sonic-agent/src/main/java/org/cloud/sonic/agent/tests/script/GroovyScriptImpl.java of the component Groovy Script Handler. The manipulation results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A vulnerability was found in SonicCloudOrg sonic-agent up to 2.7.2. The impacted element is the function evalIsFailed of the file sonic-agent/src/main/java/org/cloud/sonic/agent/tests/script/GroovyScriptImpl.java of the component Groovy Script Handler. The manipulation results in os command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
CVE_APPLY/V-S002_SonicCloudPlatform_Groovy_Unsandboxed_RCE at main ยท xpp3901/CVE_APPLY
cve็ณ่ฏท. Contribute to xpp3901/CVE_APPLY development by creating an account on GitHub.
๐จ CVE-2026-15497
A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT Authentication Filter. This manipulation causes code injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
A vulnerability was determined in SonicCloudOrg sonic-agent up to 2.7.2. This affects an unknown function of the file sonic-server-controller/src/main/java/org/cloud/sonic/controller/controller/ExchangeController.java of the component JWT Authentication Filter. This manipulation causes code injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer.
๐@cveNotify
GitHub
CVE_APPLY/V-S001_SonicCloudPlatform_Unauth_ExchangeSend at main ยท xpp3901/CVE_APPLY
cve็ณ่ฏท. Contribute to xpp3901/CVE_APPLY development by creating an account on GitHub.
๐จ CVE-2026-15498
A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c. This impacts an unknown function of the file users.php of the component Login. Such manipulation of the argument Login leads to sql injection. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c. This impacts an unknown function of the file users.php of the component Login. Such manipulation of the argument Login leads to sql injection. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-15498 in SmartHomeAdatum
A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c. This vulnerability is traded as CVE-2026-15498.
๐จ CVE-2026-15499
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload["note"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A security flaw has been discovered in AstrBotDevs AstrBot up to 4.25.2. Affected is the function FutureTaskTool.call of the file astrbot/core/tools/cron_tools.py of the component Scheduled Task Handler. Performing a manipulation of the argument payload["note"] results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Gist
AstrBot: Improper ownership checks in `future_task` allow same-session users to modify other usersโ scheduled tasks and retainโฆ
AstrBot: Improper ownership checks in `future_task` allow same-session users to modify other usersโ scheduled tasks and retain victim-derived cron privileges - AstrBot-Improper-ownership-checks-in-...
๐จ CVE-2026-15500
A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2. Affected by this vulnerability is the function get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the component market_list Endpoint. Executing a manipulation of the argument custom_registry can lead to server-side request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A weakness has been identified in AstrBotDevs AstrBot up to 4.25.2. Affected by this vulnerability is the function get_online_plugins of the file astrbot/dashboard/routes/plugin.py of the component market_list Endpoint. Executing a manipulation of the argument custom_registry can lead to server-side request forgery. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Gist
AstrBot: Authenticated SSRF in AstrBot plugin market custom registry handling
AstrBot: Authenticated SSRF in AstrBot plugin market custom registry handling - AstrBot-Authenticated-SSRF-in-AstrBot-plugin-market-custom-registry-handling.md
๐จ CVE-2026-56238
Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/global_stats endpoint to expose MRR, total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.
๐@cveNotify
Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST global_stats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/global_stats endpoint to expose MRR, total revenue, plan-tier revenue breakdown, customer counts, and operational telemetry.
๐@cveNotify
GitHub
Unauthenticated Supabase PostgREST exposes global_stats (MRR/total_revenue + plan mix + usage telemetry)
### Summary
Unauthenticated clients can read public.global_stats via Supabase PostgREST using only the public sb_publishable_* key (no user/session token required). The endpoint returns Capgo-wide...
Unauthenticated clients can read public.global_stats via Supabase PostgREST using only the public sb_publishable_* key (no user/session token required). The endpoint returns Capgo-wide...
๐จ CVE-2026-56241
Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being cleared during role binding deletion. Attackers can exploit this by maintaining a previously granted super_admin role to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.
๐@cveNotify
Capgo before 12.128.2 contains a privilege escalation vulnerability where demoted super_admin users retain access to delete_non_compliant_bundles and count_non_compliant_bundles RPCs due to stale org_users.user_right column not being cleared during role binding deletion. Attackers can exploit this by maintaining a previously granted super_admin role to enumerate and bulk delete non-compliant bundles across the entire organization indefinitely.
๐@cveNotify
GitHub
RBAC demotion does not clear org_users.user_right - demoted super_admin retains access to delete_non_compliant_bundles and couโฆ
### Summary
On RBAC-enabled organizations (use_new_rbac = true), deleting a user's role binding via DELETE /functions/v1/private/role_bindings/:binding_id only removes the role_bindings row....
On RBAC-enabled organizations (use_new_rbac = true), deleting a user's role binding via DELETE /functions/v1/private/role_bindings/:binding_id only removes the role_bindings row....
๐จ CVE-2026-56252
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks outside their declared app boundary, bypassing the limited_to_apps authorization check.
๐@cveNotify
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks outside their declared app boundary, bypassing the limited_to_apps authorization check.
๐@cveNotify
GitHub
App-scoped API keys can invoke org-scoped webhook test deliveries outside their app scope
### Summary
An API key limited to a single app (`limited_to_apps=[...]`) can still call the org-scoped `POST /webhooks/test` endpoint for any webhook in the same organization.
The root cause ...
An API key limited to a single app (`limited_to_apps=[...]`) can still call the org-scoped `POST /webhooks/test` endpoint for any webhook in the same organization.
The root cause ...