CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST — in English

CISA KEV catalog updated: (v2026.07.07)

CVE-2026-56295
Medium

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks.

CVE-2026-56294
Medium

Versions of capacitor-native-biometric before 12.128.2 contain an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.

CVE-2026-56282
Medium

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN positions. Attackers can access this endpoint without authentication to retrieve sensitive infrastructure details.

CVE-2026-56276
Medium

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.

CVE-2026-56267
Medium

Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.

CVE-2026-56235
Medium

Cap-go before version 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions that are granted to the anon role without enforcing org membership or permission checks. An attacker can use the public Supabase API key to query org_id values, disclosing cross-tenant usage telemetry.

CVE-2026-56228
Medium

Capgo before version 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. Organization administrators can set an extremely large value as the minimum password length, making compliance impossible for all organization members.

CVE-2026-56227
Medium

Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, leading to outbound requests to these addresses.

CVE-2026-56218
Medium

Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.

CVE-2025-71331
Medium

Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript, leading to cookie and session data theft.

CVE-2026-12673
Medium

Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability allowing privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary group.

CVE-2026-12119
Medium

The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to and including 6.3.7. This allows authenticated attackers with contributor-level access and above to perform arbitrary file operations.

CVE-2026-56213
Medium

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC. This allows unauthenticated attackers to insert arbitrary rows into version_meta for any app_id.

CVE-2026-56080
Medium

Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature. After a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state, leading to repeated password-reset prompts.

CVE-2026-56079
Medium

Capgo before version 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs.

CVE-2026-50519
Medium

The vulnerability in GitHub Copilot and Visual Studio Code is caused by initializing a resource with an insecure default, allowing an unauthorized attacker to disclose information over a network.

CVE-2026-49337
Medium

libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth.

CVE-2026-48129
Medium

Kestra is an event-driven orchestration platform that, prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, had an issue with the `inputFiles` task. This allowed file names to be written directly in the task working directory, potentially leading to overwriting files outside of that directory.

CVE-2026-42895
Medium

A vulnerability in Microsoft Copilot allows an unauthorized attacker to perform command injection over a network. The issue stems from improper neutralization of special elements used in a command.

CVE-2026-49345
Medium

In the Mercator application prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in the CVE configuration panel. The `testProvider()` method in `ConfigurationController` does not validate user input, allowing authenticated users with the right permissions to force arbitrary outbound network requests.

PreviousPage 80 of 511Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS