Cybersecurity & Regolamentazione UE

News & Sicurezza

Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.

24901 risultati

VulnerabilitàCritica
CVE-2026-11551 (CVSS 9.8)

The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

NVD (NIST)20 giu 2026
VulnerabilitàAlta
CVE-2026-56215 - Capgo - Account Merge via Poisoned public.users.email in SSO Provisioning

CVE ID :CVE-2026-56215 Published : June 20, 2026, 12:14 a.m. | 15 hours, 28 minutes ago Description :Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56216 - Capgo - Scope Escalation via API Key Creation in /functions/v1/apikey

CVE ID :CVE-2026-56216 Published : June 20, 2026, 12:14 a.m. | 15 hours, 28 minutes ago Description :Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resources like app listings and other protected endpoints. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56214 - Capgo - Unauthenticated Organization Enumeration and Billing Status Disclosure via Supabase RPC

CVE ID :CVE-2026-56214 Published : June 20, 2026, 12:14 a.m. | 15 hours, 28 minutes ago Description :Capgo before 12.128.2 contains an information disclosure vulnerability in Supabase PostgREST RPC endpoints is_trial_org and is_paying_org that allows unauthenticated attackers to enumerate organizations and disclose billing status using the public sb_publishable key. Attackers can invoke these endpoints to determine organization existence via distinguishable return values and identify paying customers for targeted profiling. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56213 - Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via upsert_version_meta RPC

CVE ID :CVE-2026-56213 Published : June 20, 2026, 12:14 a.m. | 15 hours, 28 minutes ago Description :Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into version_meta for any app_id. Attackers can exploit this by calling the RPC endpoint with a public anon key to poison storage metrics, causing persistent false data in dashboards and triggering incorrect alerts across victim applications. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-56212 - Capgo - Improper 2FA Enforcement Logic via Team Security Settings

CVE ID :CVE-2026-56212 Published : June 20, 2026, 12:14 a.m. | 15 hours, 28 minutes ago Description :Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's 2FA status before allowing the policy change, resulting in inconsistent security enforcement, potential administrative misuse, and lockout risk for team members. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE20 giu 2026
VulnerabilitàAlta
CVE-2026-11551 - Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover

CVE ID :CVE-2026-11551 Published : June 19, 2026, 11:29 p.m. | 16 hours, 14 minutes ago Description :The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE19 giu 2026
VulnerabilitàCritica
CVE-2026-56081 (CVSS 9.1)

Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.

NVD (NIST)19 giu 2026
VulnerabilitàCritica
CVE-2026-56073 (CVSS 9.4)

Cap-go before 12.128.2 contains an authentication bypass vulnerability in OTP verification that allows attackers to bypass email verification by modifying server responses. Attackers can intercept OTP verification requests and manipulate HTTP responses to falsely mark verification successful, enabling unauthorized 2FA enablement and account takeover.

NVD (NIST)19 giu 2026
VulnerabilitàAlta
CVE-2026-56082 - Capgo - Unauthenticated Cross-Tenant Billing Log Tampering via public.record_build_time RPC

CVE ID :CVE-2026-56082 Published : June 19, 2026, 9:39 p.m. | 18 hours, 4 minutes ago Description :Capgo (Cap-go/capgo) before 12.128.2 contains an improper access control vulnerability in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is granted to the anon role and callable with only the public Supabase publishable (sb_publishable_*) anon key. An unauthenticated attacker can insert rows into public.build_logs for arbitrary organizations and, because the function uses ON CONFLICT (build_id, org_id) DO UPDATE, can overwrite existing usage/billing records by reusing the same build_id for a target org. This enables cross-tenant tampering of billing build logs and financial-impact denial of service by inflating billable build time. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE19 giu 2026
VulnerabilitàAlta
CVE-2026-56081 - Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email

CVE ID :CVE-2026-56081 Published : June 19, 2026, 9:39 p.m. | 18 hours, 4 minutes ago Description :Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email. Severity: 9.3 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE19 giu 2026
VulnerabilitàAlta
CVE-2026-56080 - Cap-go - Authentication Logic Flaw in Enforce Password Policy

CVE ID :CVE-2026-56080 Published : June 19, 2026, 9:39 p.m. | 18 hours, 4 minutes ago Description :Capgo before 12.128.2 contains a flaw in the Enforce Password Policy feature: after a Super Admin enables the policy and successfully changes their password to a compliant one, the backend does not update the password-compliance state. As a result, the backend continues to treat the account as non-compliant and repeatedly forces password-reset prompts, permanently locking the Super Admin out of organization access (organization lockout / denial of service) despite valid authentication. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVEfeed CVE19 giu 2026

Pagina 185 di 2076

Resta aggiornato sulla cybersecurity

Iscriviti a CodersRegistry per ricevere gli aggiornamenti più importanti su regolamentazione EU e vulnerabilità critiche.