Skip to main content
CVE-2026-48908 CRITICAL POC KEV EUVD KEV THREAT Emergency

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through 6.6.1) allows attackers to upload PHP files that execute on the server, leading to full site compromise. CVSS 4.0 base score is 10.0 with the vendor flagging exploitation as Active (E:A), and no public exploit identified at time of analysis. Given the unauthenticated network vector and direct RCE outcome, this is a critical-priority issue for any Joomla site running the extension.

PHP Authentication Bypass Sp Page Builder Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.6%
Threat
5.0
CVE-2026-48939 CRITICAL POC KEV THREAT Emergency

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the event attachment feature to upload and execute server-side code, leading to full web application compromise. The flaw affects iCagenda 1.0.0-3.9.14 and 4.0.0-4.0.7 and carries a CVSS 4.0 score of 10.0 with exploitation marked as Attacked (E:A) in the vector, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Authentication Bypass PHP Icagenda Extension For Joomla
NVD VulDB GitHub
CVSS 4.0
10.0
EPSS
0.4%
Threat
5.0
CVE-2022-50972 CRITICAL POC Act Now

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection RCE WordPress PHP Woocommerce
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2019-25763 CRITICAL POC PATCH Act Now

WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Google Authentication Bypass WordPress PHP Ultimate Addons For Beaver Builder
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2020-37255 HIGH POC PATCH This Week

WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass WordPress Time Capsule Plugin
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-5366 CRITICAL Act Now

Remote code execution in Prefect 3.6.23 allows any user holding deployment-creation permissions to run arbitrary commands on shared worker machines by abusing the GitRepository storage class. The commit_sha and directories parameters are concatenated into git invocations without a `--` separator or validation, letting attackers smuggle flags such as `--upload-pack` to execute external programs. No public exploit identified at time of analysis, but the bug was reported via huntr and is particularly dangerous for multi-tenant work pools where worker compromise crosses trust boundaries.

RCE Code Injection Prefecthq Prefect
NVD VulDB
CVSS 3.0
9.9
EPSS
0.6%
CVE-2026-12673 MEDIUM POC PATCH This Month

Privilege escalation in LiquidFiles before 4.2.12 allows an authenticated Admin of a secondary (non-default) domain to elevate to full Sysadmin access by manipulating group settings within their managed secondary domain group. This broken access control flaw (CWE-285) collapses the authorization boundary between domain-scoped Admin and system-wide Sysadmin roles, granting an attacker complete platform control. No public exploitation has been confirmed in CISA KEV, but a public proof-of-concept is available from Project Black (PRJBLK), meaningfully elevating real-world risk above what the 5.9 CVSS score alone suggests.

Privilege Escalation Authentication Bypass Liquidfiles
NVD VulDB
CVSS 4.0
5.9
EPSS
0.3%
CVE-2026-11551 CRITICAL Act Now

Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.

Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-48909 CRITICAL POC Act Now

Unauthenticated remote code execution in JoomShaper's SP LMS (com_splms) Joomla extension versions 1.0.0 through 4.1.3 allows network attackers to run arbitrary code on the server by sending a crafted cookie that the component deserializes without validation. The flaw is a textbook PHP object injection (CWE-502) with a CVSS 4.0 base score of 9.5, but at time of analysis there is no public exploit identified and the issue is not on the CISA KEV list. Risk is elevated because the trigger is a cookie value parsed before any authentication check.

RCE Deserialization Sp Lms Extension For Joomla
NVD VulDB Exploit-DB
CVSS 4.0
9.5
EPSS
0.8%
CVE-2024-58351 CRITICAL PATCH Act Now

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Denial Of Service SSRF Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-56345 CRITICAL Act Now

Authorization bypass in AVideo's Meet plugin (versions through 29.0) lets remote attackers hijack arbitrary user sessions, including admin, by abusing the uploadRecordedVideo.json.php endpoint which derives the target users_id from a caller-controlled filename and then invokes the passwordless User->login() path. Exploitation requires the Meet shared secret, but that secret is a deterministic MD5 of values from configuration.php and is recoverable via known path-traversal flaws or timing attacks against checkToken.json.php. No public exploit identified at time of analysis, though the VulnCheck and GHSA advisories document the attack with code-level precision.

Authentication Bypass PHP File Upload Avideo
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-9265 CRITICAL PATCH Act Now

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

OpenSSL Information Disclosure Crypt Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-56340 HIGH PATCH This Week

Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. No public exploit identified at time of analysis; this continuation of CVE-2025-62164 addresses the root cause that the prior fix only masked by disabling the feature by default.

Denial Of Service Buffer Overflow Vllm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56215 HIGH PATCH This Week

Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56341 HIGH This Week

Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.

Authentication Bypass PHP Avideo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56216 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 allows holders of app-limited API keys to mint new unrestricted keys via the POST /functions/v1/apikey endpoint by submitting empty limit fields. The flaw effectively bypasses the API key scoping model, granting org-wide access to app listings and other protected resources from any compromised low-privilege key. No public exploit identified at time of analysis, but a vendor advisory (GHSA-2ff8-7h96-hwfp) and a VulnCheck writeup confirm the issue.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-56214 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers enumerate organizations and reveal billing status by invoking the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org with the publicly distributed sb_publishable key. The flaw is reachable directly over the network without credentials and produces distinguishable responses that identify paying customers, enabling targeted profiling; no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-9843 HIGH This Week

Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.

Path Traversal PHP WordPress RCE Database For Contact Form 7 Wpforms Elementor Forms
NVD VulDB
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-44914 HIGH This Week

Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Restricted-annotated extension components when replacing Process Groups, despite lacking the explicit Restricted-component privilege. The flaw stems from the framework failing to enforce Restricted-annotation checks during Process Group replacement, effectively letting privileged-component installation bypass its intended authorization boundary. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Apache Authentication Bypass Nifi
NVD VulDB
CVSS 4.0
7.5
EPSS
0.3%
CVE-2026-11911 HIGH This Week

Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.

Path Traversal PHP WordPress RCE Simple File List
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-11912 HIGH This Week

Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.

WordPress Authentication Bypass Simple File List
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-56346 MEDIUM This Month

Unauthenticated PGP decryption exposure in AVideo through version 25.0 allows any remote attacker to submit private key material, ciphertext, and passphrases to the publicly accessible decryptMessage.json.php endpoint and receive plaintext in the server response - no credentials, session, or token required. The dual impact is confidentiality loss (private key material processed in server memory may be captured in application or web server logs) and availability degradation via unconstrained CPU consumption from repeated cryptographic operations. A publicly available proof-of-concept exists per the GHSA advisory; no vendor patch has been released as of this analysis.

Authentication Bypass Denial Of Service PHP Avideo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-56304 MEDIUM PATCH This Month

Unsafe pickle deserialization in picklescan before 1.0.1 allows unauthenticated remote attackers to create arbitrary zero-byte files on the server by crafting malicious pickle payloads that instantiate Python's standard-library logging.FileHandler class. This technique bypasses RCE-focused blocklists because it abuses legitimate standard library functionality rather than commonly blocked modules, making it a notable blocklist-evasion primitive. A publicly available proof-of-concept exploit exists; no public exploit identified at time of analysis for active KEV-confirmed exploitation, but the PoC demonstrates concrete filesystem impact including lock-file-based denial of service.

Deserialization Denial Of Service Picklescan
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56235 MEDIUM PATCH This Month

Cross-tenant information disclosure in Capgo (cap-go/capgo) before version 12.128.2 exposes per-organization usage telemetry to any caller holding the publicly distributed Supabase API key. Three PostgREST RPC functions - get_app_metrics, get_global_metrics, and get_total_metrics - are granted to the Supabase anon role without enforcing org membership or permission checks, allowing queries against arbitrary org_id values to return MAU, bandwidth, installs, and app IDs belonging to other tenants. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; a vendor-released patch exists at version 12.128.2.

Information Disclosure Oracle Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56228 MEDIUM PATCH This Month

Capgo's password policy configuration in versions before 12.128.2 can be exploited by an authenticated organization administrator to trigger an organization-wide account lockout by setting an arbitrarily large minimum password length - such as billions of characters - with no server-side upper-bound enforcement. Once the malicious policy is enabled, every organization member including other administrators is prevented from setting a compliant password, permanently blocking access to the organization and constituting an application-level denial of service. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in the insider-threat and compromised-admin-credential risk category.

Denial Of Service Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56282 MEDIUM PATCH This Month

Unauthenticated access to Capgo's /replication HTTP endpoint exposes internal PostgreSQL replication telemetry to any remote attacker, affecting all versions prior to 12.128.2. Attackers can retrieve replication slot names, WAL LSN positions (confirmed_flush_lsn, restart_lsn), and database error messages without supplying any credentials, enabling database infrastructure reconnaissance. No public exploit code or CISA KEV listing exists at time of analysis, but the zero-complexity unauthenticated attack vector makes opportunistic scanning against internet-exposed Capgo deployments trivially feasible.

Information Disclosure PostgreSQL Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56267 MEDIUM PATCH This Month

Unauthenticated PII exposure in Flowise's forgot-password API endpoint allows remote attackers to harvest user objects containing IDs, full names, email addresses, account status, and timestamps by submitting any known or guessed email address. All Flowise releases prior to 3.0.13 are affected via the POST /api/v1/account/forgot-password endpoint, which returns a sanitized but data-rich user object instead of a generic acknowledgment. No public exploit has been identified at time of analysis per CISA KEV, though the GHSA advisory (GHSA-jc5m-wrp2-qq38) includes a working curl-based proof-of-concept demonstrating the full response.

Information Disclosure Flowise
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-56218 MEDIUM PATCH This Month

Capgo before version 12.128.2 exposes user physical location by retaining EXIF GPS metadata in uploaded images without sanitization. Unauthenticated remote attackers can download images hosted on affected Capgo instances and extract embedded latitude/longitude coordinates, revealing where users were physically located at the time of photo capture. No public exploit is identified at time of analysis, and a vendor patch is available in version 12.128.2.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56213 MEDIUM PATCH This Month

Cross-tenant metrics poisoning in Capgo before 12.128.2 allows unauthenticated remote attackers to insert arbitrary rows into the version_meta table for any tenant's app_id by invoking the PostgREST RPC endpoint using only the public anonymous key. The root cause is a missing authorization check inside a SECURITY DEFINER PostgreSQL function, which executes with elevated definer privileges while accepting caller-supplied app_id values without ownership validation. Although no public exploit code or CISA KEV listing exists at time of analysis, the attack requires no credentials beyond the public anon key - typically embedded in distributed client applications - making the practical barrier to exploitation extremely low despite the moderate CVSS 4.0 score of 6.9.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-12119 MEDIUM This Month

Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.

Authentication Bypass WordPress PHP Simple File List
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-54665 MEDIUM PATCH This Month

Host header injection in Apache NiFi 0.0.1 through 2.9.0 enables network-accessible clients to supply arbitrary values via X-ProxyHost and X-Forwarded-Host HTTP headers, causing the application to construct attacker-controlled qualified URLs used in HTTP redirects and data references. Although NiFi introduced an allowlist-based Host header control (nifi.web.proxy.host) in version 1.6.0, that validation was never extended to the alternative proxy and forwarded headers, leaving a persistent gap across roughly a decade of releases. No public exploit code has been identified at time of analysis and CVE-2026-54665 is not listed in CISA KEV; practical risk centers on open-redirect abuse, link manipulation, and potential bypass of same-origin assumptions rather than direct code execution.

Apache Information Disclosure Nifi
NVD VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56342 MEDIUM This Month

Full-read SSRF in AVideo through version 27.0 allows authenticated administrators to make the server fetch arbitrary URLs via the statsURL parameter in plugin/Live/test.php, including cloud metadata endpoints and internal network services. The endpoint bypasses the codebase's own isSSRFSafeURL() guard - used in seven other endpoints - and returns full response bodies in the HTML output, enabling retrieval of IAM credentials from cloud metadata services such as 169.254.169.254, internal service data, and network configuration details. No public exploit code has been formally labeled as proof-of-concept, but the GHSA advisory discloses the complete vulnerable code path with all three sink functions (file_get_contents, curl_exec, wget), making exploitation trivial for any party who has read the advisory.

PHP SSRF Avideo
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.2%
CVE-2026-56276 MEDIUM PATCH This Month

Mass assignment in Flowise's PUT /api/v1/user endpoint (all versions before 3.1.2) allows an authenticated user to overwrite their own account's password hash by supplying a crafted `credential` field in the request body, entirely bypassing the intended old-password verification, hashing enforcement, and session-invalidation workflow. An attacker who first obtains a temporary session - via XSS, token theft, or session hijacking - can exploit this to establish permanent account persistence even after the legitimate session expires, with no knowledge of the current password required. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 3.1.2.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.3%
CVE-2025-62198 MEDIUM This Month

Stored XSS in Apache Atlas's Create Entity page allows any authenticated user to inject persistent malicious JavaScript that executes in other users' browsers. All deployments running Apache Atlas 2.4.0 and earlier are affected. An attacker with a valid account can store a crafted payload that triggers against higher-privileged users - such as administrators - who later view the poisoned entity, enabling session hijacking or credential theft. No public exploit or CISA KEV listing has been identified at time of analysis.

Apache XSS Atlas
NVD VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-71379 MEDIUM PATCH This Month

Regular expression denial of service in vLLM versions 0.6.3 through 0.8.x exposes three distinct attack surfaces - the LoRA utility module, the phi4mini tool parser, and the OpenAI-compatible chat endpoint - to catastrophic regex backtracking, causing severe CPU exhaustion and service-wide denial of service. Authenticated API consumers can submit crafted inputs with deeply nested or repeated structures (e.g., `((((a|)+)+)+)`) to trigger unbounded processing in Python's backtracking NFA regex engine. No public exploit identified at time of analysis, though the GHSA advisory discloses the exact vulnerable patterns and example malicious inputs, substantially lowering the reproduction barrier for anyone with API access.

Denial Of Service Vllm Red Hat
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56347 MEDIUM This Month

Stored cross-site scripting in AVideo's TopMenu plugin through version 26.0 allows payload execution for every site visitor due to unescaped rendering of icon classes, URLs, and text labels across multiple PHP templates. Critically, the saving endpoint (`menuItemSave.json.php`) lacks CSRF token validation despite checking for admin status, enabling a full CSRF-to-stored-XSS chain: an attacker with no account can inject the malicious menu item by luring an authenticated admin to an attacker-controlled page. Publicly available exploit code exists (GHSA-gmpc-fxg2-vcmq); no vendor-released patch has been identified at time of analysis.

XSS Avideo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56319 MEDIUM PATCH This Month

Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56307 MEDIUM PATCH This Month

Broken cursor pagination in Capgo's /private/devices endpoint on the Cloudflare/workerd runtime path allows authenticated attackers with app.read_devices permission to trigger infinite duplicate-page loops, making later dataset rows permanently unreachable for affected sessions. All Capgo versions before 12.128.12 are vulnerable, and the impact is operational: device-management workflows repeatedly process the same duplicate records while failing to advance through the full dataset. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 5.3 (Medium) reflects limited, availability-only impact scoped to the vulnerable system.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56295 MEDIUM PATCH This Month

Webhook management endpoints in Capgo before 12.128.2 expose an authorization policy bypass that allows holders of non-expiring API keys to circumvent the organization-level require_apikey_expiration policy. The checkWebhookPermission function omits the required call to apikeyHasOrgRightWithPolicy, leaving webhook operations - listing, creating, and deleting - accessible to legacy non-expiring keys even when the organization has explicitly mandated key expiration. No public exploit has been identified at time of analysis, and exploitation requires prior possession of a valid non-expiring API key, targeting organizations that believed their key-expiration policy was uniformly enforced.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56227 MEDIUM PATCH This Month

Server-side request forgery in Capgo's webhook URL validation exposes internal infrastructure to organization admins who can direct the backend to issue HTTP requests against loopback and private addresses (localhost, 127.0.0.1). All Capgo versions prior to 12.128.2 are affected per the GitHub Security Advisory GHSA-48hc-53hv-6x3f. The vulnerability is particularly dangerous in cloud-hosted deployments where the backend server can reach instance metadata services (e.g., AWS IMDS), and error responses are disclosed directly to the triggering user, enabling iterative internal network reconnaissance. No public exploit identified at time of analysis and no CISA KEV listing, but the authenticated-admin attack path lowers the effective barrier in multi-tenant SaaS environments.

SSRF Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-44913 MEDIUM This Month

SQL injection via improperly escaped MySQL table names in Apache NiFi's CaptureChangeMySQL Processor (versions 1.2.0 through 2.9.0) allows an attacker with MySQL CREATE TABLE access in a monitored database to inject arbitrary SQL commands executed under NiFi's MySQL service credentials. A partial mitigation introduced in 1.8.0 added manual quoted boundaries that narrowed - but did not eliminate - the injection surface; the root flaw persisted for years until full remediation in 2.10.0. No public exploit identified at time of analysis and not listed in CISA KEV; the issue was discovered by Roberto Suggi Liverani of the NATO Cyber Security Centre (NCSC) and disclosed in April 2026.

Apache Code Injection Nifi
NVD VulDB
CVSS 4.0
5.2
EPSS
0.3%
CVE-2025-71331 MEDIUM PATCH This Month

Cross-site scripting in Flowise before 3.0.8 allows unauthenticated network attackers to inject malicious JavaScript into the chat interface via iframe javascript: URI payloads, or indirectly via custom agent functions that fetch and render unsanitized external HTTP responses. When a victim browses the affected chat or agent output in their browser, the injected script executes in their session, enabling cookie theft and session hijacking. A working proof-of-concept payload is publicly documented in GitHub Security Advisory GHSA-4fr9-3x69-36wv; no active exploitation is confirmed in CISA KEV at time of analysis.

XSS Flowise
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56332 MEDIUM PATCH This Month

Open redirect in Capgo's confirm-signup endpoint (all versions before 12.128.2) enables unauthenticated remote attackers to craft account confirmation links that silently redirect victims to arbitrary attacker-controlled websites. The unvalidated `confirmation_url` parameter in the confirm-signup flow accepts any external URL without domain allowlisting or sanitization, making legitimate Capgo-sending domains a trusted launchpad for phishing and credential harvesting. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the social engineering amplification risk is significant given the trusted-email-domain context.

Open Redirect Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56212 MEDIUM PATCH This Month

Authentication logic bypass in Capgo before 12.128.2 permits a team or organization security settings manager to enforce mandatory two-factor authentication across all team members without having 2FA active on their own account. The platform never validates the initiator's own 2FA enrollment state before committing the policy change, creating an asymmetric enforcement condition where the policy creator is effectively exempt from the mandate they impose. No public exploit code has been identified and Capgo is not listed in the CISA Known Exploited Vulnerabilities catalog; the CVSS 4.0 score of 5.1 (PR:H) reflects that exploitation is constrained to already-privileged insiders.

Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-56330 MEDIUM PATCH This Month

Open redirect in Capgo's Stripe billing endpoints (stripe_portal and stripe_checkout) allows authenticated attackers to manipulate the callbackUrl, successUrl, and cancelUrl parameters to silently redirect users to attacker-controlled phishing domains after billing interactions. All Capgo releases before 12.128.2 are affected per vendor advisory GHSA-grc7-98pf-h8hq. Exploitation requires a valid Capgo account (CVSS PR:L) and victim interaction (UI:A), and no public exploit or CISA KEV listing exists at time of analysis; however, the Stripe payment context lends phishing lures unusual credibility, elevating realistic social-engineering risk above what the medium CVSS score alone implies.

Open Redirect Capgo
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.2%
CVE-2026-56294 MEDIUM PATCH This Month

Authentication bypass in cap-go/capacitor-native-biometric allows an attacker with physical device access to circumvent biometric authentication by hooking the onAuthenticationSucceeded() callback via dynamic instrumentation. The root cause is that AuthActivity.java's implementation of BiometricPrompt.AuthenticationCallback never retrieves or validates the CryptoObject from the AuthenticationResult, making the entire cryptographic binding between biometric gesture and protected key material moot. All npm package versions below the patched release are affected. A proof-of-concept video is publicly available per the GHSA advisory, though no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass Capacitor Native Biometric
NVD GitHub VulDB
CVSS 4.0
4.3
EPSS
0.2%
CVE-2026-56355 LOW Monitor

Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.

Information Disclosure Savane
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-56317 LOW PATCH Monitor

Cross-site scripting in Nuxt's globally registered NoScript component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payload via attacker-controlled slot content, such as URL query parameters. The vulnerability exists in both supported release lines - 3.x before 3.21.7 and 4.x before 4.4.7 - and is rooted in the server-side rendering pipeline writing slot content to innerHTML without escaping, bypassing Vue's normal template sanitization. No active exploitation has been confirmed in CISA KEV; vendor-released patches are available and the fix is a one-line change confirmed in open commit history.

XSS Nuxt
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-44911 LOW Monitor

Incorrect authorization enforcement in Apache NiFi 1.15.0 through 2.9.0 allows read-privileged users to submit configuration verification requests containing arbitrary proposed properties, bypassing the write-access requirement. The nifi-web-api REST endpoints for component configuration verification accepted proposed configuration overrides from any authenticated user with read access, enabling those users to invoke predefined verification methods - such as testing connectivity, credentials, or remote service endpoints - with attacker-supplied settings. No public exploit has been identified at time of analysis, and the fix is confirmed available in Apache NiFi 2.10.0.

Apache Authentication Bypass Nifi
NVD VulDB
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-56325 LOW PATCH Monitor

Preview subdomain resolution in Capgo before 12.128.2 is susceptible to app-id confusion because the resolver uses PostgreSQL's ILIKE operator - which treats underscores as single-character wildcards - instead of exact equality matching for app_id lookups. An authenticated attacker who can register a Capgo application can craft an app_id with strategically placed underscores that collide with a victim application's identifier, hijacking preview subdomain resolution and breaking preview functionality for the targeted app. No public exploit code exists and no active exploitation has been confirmed (KEV absent); the CVSS 4.0 score of 2.3 reflects genuinely low real-world risk constrained by high attack complexity, required authentication, and limited availability-only impact.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy