Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.9 CVE-2026-56331

Capgo – Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String_CVE-2026-56331

Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns HTTP 500 instead of safe 4xx errors ...

Capgo Capgo CVE
HIGH 7.1 CVE-2026-56328

Capgo – Integrity Issue in Release Routing via Multiple Public Channels_CVE-2026-56328

Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously, while unnamed /updates requests with...

Capgo Capgo CVE
MEDIUM 6.9 CVE-2026-56327

Capgo – Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC_CVE-2026-56327

Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC function that allows unauthenticated at...

Capgo Capgo CVE
HIGH 7.1 CVE-2026-56320

Capgo – Org/App Scope Mismatch in Device Creation Endpoint_CVE-2026-56320

Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validat...

Capgo Capgo CVE
MEDIUM 6.9 CVE-2026-56318

Capgo – Information Disclosure via /private/validate_password_compliance Endpoint_CVE-2026-56318

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compliance endpoint that returns different...

Capgo Capgo CVE
HIGH 8.7 CVE-2026-56300

Capgo – Unauthenticated API Key Validity and Permission Oracle via RPC Functions_CVE-2026-56300

Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity ...

Capgo Capgo CVE
HIGH 7 CVE-2026-56286

Capgo – Account Deletion Without Password Confirmation_CVE-2026-56286

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-aut...

Capgo Capgo CVE
CRITICAL 9.3 CVE-2026-56278

Flowise – Session Hijacking via Weak Default Express Session Secret_CVE-2026-56278

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware whe...

Flowise Flowise CVE
MEDIUM 6.9 CVE-2026-56277

Flowise – Hardcoded CORS Wildcard in TTS Endpoint_CVE-2026-56277

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/...

Flowise Flowise CVE
CRITICAL 9.2 CVE-2026-56264

Crawl4AI – Arbitrary JavaScript Execution via /execute_js Endpoint_CVE-2026-56264

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and e...

Crawl4AI Crawl4AI 0.8.7 CVE