|
2351
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endpoint that allows app-limited API keys to distinguish existing sibling app IDs through dif…
|
CWE-203
Information Exposure Through Discrepancy
|
CVE-2026-56319
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2352
|
4.7 |
MEDIUM
Network
|
-
|
-
|
Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is …
|
CWE-601
Open Redirect
|
CVE-2026-56332
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2353
|
6.8 |
MEDIUM
Network
|
-
|
-
|
AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, wh…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-56342
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2354
|
6.5 |
MEDIUM
Network
|
-
|
-
|
AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can sub…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-56346
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2355
|
7.5 |
HIGH
Network
|
-
|
-
|
Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that returns the owning user_id for supplied API keys, creating an API key validity oracle and…
|
CWE-200
Information Exposure
|
CVE-2026-56242
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2356
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authenticated users to elevate privileges from admin to super_admin. Attackers can exploit the ins…
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-56251
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2357
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization be…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-56385
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2358
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rend…
|
CWE-79
Cross-site Scripting
|
CVE-2026-56393
|
2026-06-23 03:36 |
2026-06-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2359
|
8.2 |
HIGH
Network
|
-
|
-
|
Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Attackers can send GET reques…
|
CWE-89
SQL Injection
|
CVE-2017-20252
|
2026-06-23 03:35 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2360
|
8.2 |
HIGH
Network
|
-
|
-
|
Joomla! Component Quiz Deluxe 3.7.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the ajaxaction.flag_question task. Attacker…
|
CWE-89
SQL Injection
|
CVE-2017-20257
|
2026-06-23 03:35 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
