CVE-2026-53868
HIGHCapgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion
Title source: cnaDescription
Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo < 12.128.2 - Denial of Service via Unverified Email Account Registration and Deletion
https://www.vulncheck.com/advisories/capgo-denial-of-service-via-unverified-email-account-registration-and-deletion
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-3wfv-m8fq-7r5g
https://github.com/Cap-go/capgo/security/advisories/GHSA-3wfv-m8fq-7r5g
Scores
CVSS v3
7.5
EPSS
0.0026
EPSS Percentile
16.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (2)
Capgo/Capgo
< 12.128.2
Capgo/Capgo
12.128.2
Published
Jun 12, 2026
Tracked Since
Jun 13, 2026