|
951
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limited_to_orgs restrictions. Attackers with…
New
|
CWE-285
Improper Authorization
|
CVE-2026-56310
|
2026-06-25 23:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
952
|
7.1 |
HIGH
Network
|
-
|
-
|
Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-brain ownership. Attackers can directly update apps.o…
New
|
CWE-284
Improper Access Control
|
CVE-2026-56257
|
2026-06-25 23:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
953
|
7.6 |
HIGH
Network
|
-
|
-
|
Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:jobId endpoints. The handlers authorize the request bas…
New
|
CWE-285
Improper Authorization
|
CVE-2026-56231
|
2026-06-25 23:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
954
|
7.1 |
HIGH
Network
|
-
|
-
|
A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC (Scalable Video Coding) layer ID control all…
New
|
CWE-787
Out-of-bounds Write
|
CVE-2026-56211
|
2026-06-25 23:16 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
955
|
- |
|
-
|
-
|
A vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.6.0 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue.
New
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-54226
|
2026-06-25 23:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
956
|
5.9 |
MEDIUM
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router (router.go, "…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-54068
|
2026-06-25 23:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
957
|
9.9 |
CRITICAL
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer t…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-50551
|
2026-06-25 23:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
958
|
8.3 |
HIGH
Network
|
-
|
-
|
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .web…
New
|
CWE-641
Improper Restriction of Names for Files and Other Resources
|
CVE-2026-50023
|
2026-06-25 23:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
959
|
9.1 |
CRITICAL
Network
|
-
|
-
|
IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hard…
New
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-12628
|
2026-06-25 23:16 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
960
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` func…
New
|
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-12416
|
2026-06-25 23:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
