Monthly
Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.
Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.
User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.
An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.
Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.
Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.
Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated organization enumeration in Capgo before 12.128.2 lets attackers abuse the Supabase PostgREST SECURITY DEFINER RPC public.rescind_invitation, which returns distinguishable NO_ORG versus NO_RIGHTS errors when invoked with only a publishable (anon) API key. This oracle lets remote unauthenticated attackers confirm which organization IDs exist, building a target list for follow-on phishing and social engineering. Reported by VulnCheck; no public exploit code and no CISA KEV listing at time of analysis.
Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.
User enumeration via the reset_password endpoint in Frappe framework exposes valid account usernames to unauthenticated remote attackers across all versions prior to 15.106.0 and 16.16.0. The flaw stems from observable response discrepancies (CWE-203) that allow systematic probing of registered accounts without any credentials. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the zero-barrier network access makes this a realistic reconnaissance primitive for credential stuffing or targeted phishing campaigns against Frappe-based deployments.
An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid and invalid usernames based on variations in server responses. This information can be leveraged to identify existing accounts and facilitate further attacks, including brute-force or credential stuffing.
Remote username enumeration in GoFiber fiber v3's default BasicAuth middleware exploits a timing side-channel caused by Go's short-circuit `&&` evaluation, producing a ~1,000,000:1 response-time ratio between valid and invalid usernames when bcrypt hashing is in use. Any GoFiber v3 application relying on the default `Authorizer` with hashed credentials is affected; an unauthenticated remote attacker can enumerate valid usernames by measuring HTTP response latency, then focus credential brute-force exclusively on confirmed accounts. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Inappropriate implementation in Enterprise in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)
Unauthenticated organization enumeration in Capgo before 12.128.2 exposes tenant existence through differential error responses in the public.invite_user_to_org SECURITY DEFINER RPC function. Any caller holding a publishable API key - a client-side credential intentionally distributed in mobile apps - can probe arbitrary organization IDs and distinguish NO_ORG from NO_RIGHTS responses, confirming or denying tenant existence at scale. No active exploitation is confirmed (not in CISA KEV) and no public POC has been identified, but the attack barrier is exceptionally low given the freely obtainable key material and the network-accessible default posture.
Unauthenticated job ID enumeration in Cap-go (Capgo) before version 12.128.2 exposes internal builder job identifiers via observable response discrepancies on the OPTIONS /build/upload/:jobId/* endpoint. Any network-accessible attacker can probe this endpoint without credentials to distinguish valid job IDs from invalid ones, effectively building a map of active build jobs. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the zero-barrier exploitation (no auth, no interaction) and dual impact of information disclosure and incidental resource consumption make it a meaningful exposure for organizations running self-hosted Capgo instances.
Tenant isolation is broken in Capgo's statistics API before version 12.128.2, allowing authenticated holders of app-limited API keys to enumerate app IDs belonging to other tenants across the platform. The GET /statistics/app/:app_id endpoint returns distinct error codes depending on whether a target app exists (500 PGRST116) or is entirely nonexistent (401), creating an oracle that maps real app IDs outside the caller's authorized scope. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the authenticated requirement and limited confidentiality impact.
Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.