CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the require_apikey_expiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with legacy non-expiring keys to list, create, and delete webhooks.
Versions of capacitor-native-biometric before 12.128.2 contain an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass biometric authentication without valid credentials.
Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication endpoint that exposes internal PostgreSQL replication telemetry including slot names and WAL LSN positions. Attackers can access this endpoint without authentication to retrieve sensitive infrastructure details.
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs, names, account status, and timestamps by sending requests with known email addresses.
Cap-go before version 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions that are granted to the anon role without enforcing org membership or permission checks. An attacker can use the public Supabase API key to query org_id values, disclosing cross-tenant usage telemetry.
Capgo before version 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. Organization administrators can set an extremely large value as the minimum password length, making compliance impossible for all organization members.
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, leading to outbound requests to these addresses.
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript, leading to cookie and session data theft.
Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability allowing privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary group.
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to and including 6.3.7. This allows authenticated attackers with contributor-level access and above to perform arbitrary file operations.
Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC. This allows unauthenticated attackers to insert arbitrary rows into version_meta for any app_id.
Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature. After a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state, leading to repeated password-reset prompts.
Capgo before version 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs.
The vulnerability in GitHub Copilot and Visual Studio Code is caused by initializing a resource with an insecure default, allowing an unauthorized attacker to disclose information over a network.
libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted sequence of H.265 NAL units causes `decoder_context::read_slice_NAL()` to attach slice headers to a finished picture object that has no active image unit, resulting in attacker-controlled unbounded heap growth.
Kestra is an event-driven orchestration platform that, prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, had an issue with the `inputFiles` task. This allowed file names to be written directly in the task working directory, potentially leading to overwriting files outside of that directory.
A vulnerability in Microsoft Copilot allows an unauthorized attacker to perform command injection over a network. The issue stems from improper neutralization of special elements used in a command.
In the Mercator application prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in the CVE configuration panel. The `testProvider()` method in `ConfigurationController` does not validate user input, allowing authenticated users with the right permissions to force arbitrary outbound network requests.

