HIGH - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
HIGH 7.7	CVE-2026-9709	Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Meta Disclosure_CVE-2026-9709 The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to ...	Unknown	Cornerstone 3.0.0	Jun 24, 2026	CVE
HIGH 7.2	CVE-2026-10749	Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData_CVE-2026-10749 The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied seria...	Unknown	Post Duplicator	Jun 24, 2026	CVE
HIGH 7.5	CVE-2026-10735	ShapedPlugin Multiple Pro Plugins – Backdoor via Compromised Vendor Update Server_CVE-2026-10735 Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommer...	Unknown	smart-post-show-pro 4.0.1	Jun 24, 2026	CVE
HIGH 8.7	CVE-2026-56270	Flowise – Unauthenticated OAuth Secrets Disclosure via /api/v1/loginmethod Endpoint_CVE-2026-56270 Flowise before 3.1.0 (versions 3.0.13 and earlier) contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows ...	Flowise	Flowise	Jun 24, 2026	CVE
HIGH 7.1	CVE-2026-56257	Capgo – Authorization Bypass in App Ownership Transfer via Direct PostgREST Update_CVE-2026-56257 Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfer_app() workflow and creating split-b...	Capgo	Capgo	Jun 24, 2026	CVE
HIGH 7.1	CVE-2026-56256	Capgo – Two-Factor Authentication Bypass via Organization Management API_CVE-2026-56256 Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization (ORG) management API endpoints (e.g...	Capgo	Capgo	Jun 24, 2026	CVE
HIGH 8.8	CVE-2026-56245	Supabase Capgo – Unauthenticated Cross-Tenant Build-Time Accounting Poisoning via record_build_time RPC_CVE-2026-56245 Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER record_build_time RPC function that allows un...	Cap-go	capgo	Jun 24, 2026	CVE
HIGH 7.1	CVE-2026-56244	Capgo – Webhook Signing Secret Disclosure via Non-Admin API Key_CVE-2026-56244 Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies o...	Capgo	Capgo	Jun 24, 2026	CVE
HIGH 8.7	CVE-2026-56232	Capgo – Subkey Scope Bypass in middlewareKey via x-limited-key-id Header_CVE-2026-56232 Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via x-limited-key-id header in middlewar...	Capgo	Capgo	Jun 24, 2026	CVE
HIGH 7.2	CVE-2026-56231	Capgo – Broken Object Level Authorization in Build Job Control via jobId Parameter_CVE-2026-56231 Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/start/:jobId and POST /build/cancel/:job...	Capgo	Capgo	Jun 24, 2026	CVE