CVE-2026-53867
MEDIUMCapgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement
Title source: cnaDescription
Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-8p92-wcp2-c9j4
https://github.com/Cap-go/capgo/security/advisories/GHSA-8p92-wcp2-c9j4
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement
https://www.vulncheck.com/advisories/capgo-orphaned-file-retention-via-profile-image-replacement
Scores
CVSS v3
4.3
EPSS
0.0018
EPSS Percentile
8.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-459
Status
published
Products (2)
Cap-go/capgo
< 12.128.2
Cap-go/capgo
12.128.2
Published
Jun 12, 2026
Tracked Since
Jun 13, 2026