Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.9 CVE-2026-56277

Flowise – Hardcoded CORS Wildcard in TTS Endpoint_CVE-2026-56277

Flowise before 3.1.2 sets Access-Control-Allow-Origin to a hardcoded wildcard (*) on its text-to-speech (TTS) generation endpoint (packages/server/...

Flowise Flowise CVE
CRITICAL 9.2 CVE-2026-56264

Crawl4AI – Arbitrary JavaScript Execution via /execute_js Endpoint_CVE-2026-56264

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and e...

Crawl4AI Crawl4AI 0.8.7 CVE
HIGH 7.2 CVE-2026-56249

Capgo – Unauthorized Channel Overwrite and Ownership Takeover via POST /channel Name Collision_CVE-2026-56249

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite ...

Capgo Capgo CVE
HIGH 8.7 CVE-2026-56247

Capgo – Privilege Escalation via Cross-Scope RBAC Role Assignment_CVE-2026-56247

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pend...

Capgo Capgo CVE
HIGH 8.7 CVE-2026-56233

Capgo – SSRF and Privilege Escalation via Path Traversal in Builder Upload Proxy_CVE-2026-56233

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to...

Capgo Capgo CVE
HIGH 8.7 CVE-2026-56230

Capgo – Broken Object Level Authorization via x-limited-key-id Header_CVE-2026-56230

Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accepts the client-controlled x-limited-ke...

Capgo Capgo CVE
MEDIUM 5.1 CVE-2026-56224

Capgo – Login CSRF and Session Fixation via URL Query Parameters_CVE-2026-56224

Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users wi...

Capgo Capgo CVE
HIGH 8.7 CVE-2026-56219

Capgo – Unauthenticated RBAC Bindings and Email Disclosure via get_org_user_access_rbac NULL-auth Bypass_CVE-2026-56219

Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac function that allows unauthenticated attacke...

Capgo Capgo CVE
LOW 3.7 CVE-2026-54696

Ruby JSON: JSON generator heap buffer overflow when streaming to an IO_CVE-2026-54696

Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provid...

ruby json >= 2.9.0, < 2.19.9 CVE
HIGH 8.2 CVE-2026-54673

electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`_CVE-2026-54673

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions)...

electron-userland electron-builder < 26.15.0 CVE