CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
ReDoS vulnerability in vLLM versions 0.6.3 through 0.9.0. Regular expression patterns in several components (vllm/lora/utils.py, phi4mini parser, OpenAI chat endpoint) are susceptible to catastrophic backtracking, allowing an attacker to cause CPU exhaustion and performance degradation.
Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by observing 500 PGRST116 errors for inaccessible apps versus 401 errors for nonexistent apps.
Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters.
Cap-go before version 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint, allowing authenticated attackers to cause duplicate-page loops and make later rows unreachable.
Picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts.
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks.
Versions of capacitor-native-biometric before 12.128.2 contain an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.
Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN positions. Attackers can access this endpoint without authentication to retrieve sensitive infrastructure details.
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Cap-go before version 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions that are granted to the anon role without enforcing org membership or permission checks. An attacker can use the public Supabase API key to query org_id values, disclosing cross-tenant usage telemetry.
Capgo before version 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. Organization administrators can set an extremely large value as the minimum password length, making compliance impossible for all organization members.
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, leading to outbound requests to these addresses.
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript, leading to cookie and session data theft.
Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability allowing privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary group.
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to and including 6.3.7. This allows authenticated attackers with contributor-level access and above to perform arbitrary file operations.
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC. This allows unauthenticated attackers to insert arbitrary rows into version_meta for any app_id.
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature. After a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state, leading to repeated password-reset prompts.

