Capgo
61 CVEsCVE IDSeverityProduct / summaryPublished
CVE-2026-56219
HIGH 8.7
Capgo — Capgo before 12.128.2 contains a NULL-auth bypass vulnerability in the public.get_org_user_access_rbac functio…
2026-06-30
CVE-2026-56224
MEDIUM 5.1
Capgo — Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, …
2026-06-30
CVE-2026-56230
HIGH 8.7
Capgo — Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey() that accep…
2026-06-30
CVE-2026-56233
HIGH 8.7
Capgo — Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenti…
2026-06-30
CVE-2026-56247
HIGH 8.7
Capgo — Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role s…
2026-06-30
CVE-2026-56249
HIGH 7.2
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that all…
2026-06-30
CVE-2026-56286
HIGH 7
Capgo — Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that al…
2026-06-30
CVE-2026-56300
HIGH 8.7
Capgo — Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for…
2026-06-30
CVE-2026-56318
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validate_password_compl…
2026-06-30
CVE-2026-56320
HIGH 7.1
Capgo — Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supp…
2026-06-30
CVE-2026-56327
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC fu…
2026-06-30
CVE-2026-56328
HIGH 7.1
Capgo — Capgo before 12.128.2 allows multiple public channels for the same app and platform to coexist simultaneously,…
2026-06-30
CVE-2026-56331
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains improper error handling in the /private/accept_invitation endpoint that returns…
2026-06-30
CVE-2026-56333
MEDIUM 5.3
Capgo — Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings…
2026-06-30
CVE-2026-56334
MEDIUM 5.3
Capgo — Capgo before 12.128.2 lacks an UPDATE row-level security policy for the build_requests table, preventing API-k…
2026-06-30
CVE-2026-56223
CRITICAL 9.3
Capgo — Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoin…
2026-06-24
CVE-2026-56231
HIGH 7.2
Capgo — Capgo before 12.128.2 contains a broken object level authorization (BOLA) vulnerability in the POST /build/sta…
2026-06-24
CVE-2026-56232
HIGH 8.7
Capgo — Capgo before 12.128.2 fails to enforce limited_to_orgs and limited_to_apps constraints on subkeys provided via…
2026-06-24
CVE-2026-56237
CRITICAL 9.3
Capgo — Capgo before 12.128.2 contains a broken authentication vulnerability in its API key generation mechanism. API …
2026-06-24
CVE-2026-56244
HIGH 7.1
Capgo — Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insuf…
2026-06-24
CVE-2026-56256
HIGH 7.1
Capgo — Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organizatio…
2026-06-24
CVE-2026-56257
HIGH 7.1
Capgo — Capgo before 12.128.2 allows direct patching of public.apps.owner_org through PostgREST, bypassing the transfe…
2026-06-24
CVE-2026-56302
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an unsecured images bucket lacking any row level security controls, allowing un…
2026-06-24
CVE-2026-56337
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the public.exist_app_v2 RPC function…
2026-06-24
CVE-2026-56338
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains a denial of service vulnerability in the /auth/v1/otp endpoint that prevents em…
2026-06-24
CVE-2026-56222
HIGH 8.6
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/role_bindings that fails…
2026-06-23
CVE-2026-56225
HIGH 8.7
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers…
2026-06-23
CVE-2026-56234
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains a credential validation vulnerability in the POST /functions/v1/private/validat…
2026-06-23
CVE-2026-56243
HIGH 8.6
Capgo — Capgo before 12.128.2 contains a security control bypass vulnerability where the PostgREST/RLS plane accepts p…
2026-06-23
CVE-2026-56322
HIGH 8.7
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoin…
2026-06-23
CVE-2026-56255
MEDIUM 5.3
Capgo — Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows au…
2026-06-22
CVE-2026-56306
MEDIUM 5.3
Capgo — Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attacke…
2026-06-22
CVE-2026-56311
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.get_current_plan_max_org RP…
2026-06-22
CVE-2026-56314
HIGH 7.1
Capgo — Capgo before 12.128.12 fails to filter deleted app versions when joining channels during /updates resolution, …
2026-06-22
CVE-2026-56321
MEDIUM 6.9
Capgo — Capgo (backend Supabase edge functions) before 12.128.2 does not apply the global authentication middleware to…
2026-06-22
CVE-2026-56323
HIGH 8.7
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channel_self endpo…
2026-06-22
CVE-2026-56324
HIGH 8.8
Capgo — Capgo before 12.128.2 contains a rate limit bypass vulnerability in the channel_self endpoint that allows atta…
2026-06-22
CVE-2026-56229
HIGH 7.1
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endp…
2026-06-21
CVE-2026-56236
MEDIUM 6.8
Cli — Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials ope…
2026-06-21
CVE-2026-56239
HIGH 7.2
Capgo — Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.apply_usage_overag…
2026-06-21
CVE-2026-56242
HIGH 8.7
Capgo — Capgo before 12.128.2 contains an unauthenticated security definer RPC function get_identity_apikey_only that …
2026-06-21
CVE-2026-56251
HIGH 7
Capgo — Capgo before 12.128.2 contains a broken row level security policy in the org_users table that allows authentic…
2026-06-21
CVE-2026-56253
HIGH 8.7
Capgo — Capgo before 12.128.2 contains an improper access control vulnerability in the public.get_org_members RPC func…
2026-06-21
CVE-2026-56299
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/* endpoint t…
2026-06-21
CVE-2026-56212
MEDIUM 5.1
Capgo — Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organiza…
2026-06-20
CVE-2026-56213
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURIT…
2026-06-20
CVE-2026-56214
HIGH 8.7
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_…
2026-06-20
CVE-2026-56215
HIGH 8.7
Capgo — Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addr…
2026-06-20
CVE-2026-56216
HIGH 8.7
Capgo — Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that…
2026-06-20
CVE-2026-56218
MEDIUM 6.9
Capgo — Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowi…
2026-06-20
CVE-2026-56227
MEDIUM 5.3
Capgo — Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allo…
2026-06-20
CVE-2026-56228
MEDIUM 6.9
Capgo — Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password po…
2026-06-20
CVE-2026-56282
MEDIUM 6.9
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /replication end…
2026-06-20
CVE-2026-56295
MEDIUM 5.3
Capgo — Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allo…
2026-06-20
CVE-2026-56319
MEDIUM 5.3
Capgo — Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:app_id endp…
2026-06-20
CVE-2026-56325
LOW 2.3
Capgo — Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview s…
2026-06-20
CVE-2026-56330
MEDIUM 4.8
Capgo — Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints t…
2026-06-20
CVE-2026-56332
MEDIUM 5.1
Capgo — Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attac…
2026-06-20
CVE-2026-56079
HIGH 7.1
Capgo — Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that a…
2026-06-19
CVE-2026-53867
MEDIUM 5.3
Capgo — Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users repla…
2026-06-12
CVE-2026-53868
HIGH 8.7
Capgo — Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using…
2026-06-12