CVE-2026-56218

MEDIUM

Capgo - EXIF Metadata Exposure via Image Upload

Title source: cna
STIX 2.1

Description

Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-c5w9-886p-9j2x
https://github.com/Cap-go/capgo/security/advisories/GHSA-c5w9-886p-9j2x
Third Party Advisory third-party-advisory
VulnCheck Advisory: Capgo - EXIF Metadata Exposure via Image Upload
https://www.vulncheck.com/advisories/capgo-exif-metadata-exposure-via-image-upload

Scores

CVSS v3 5.3
EPSS 0.0021
EPSS Percentile 10.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (2)
Capgo/Capgo < 12.128.2
Capgo/Capgo 12.128.2
Published Jun 20, 2026
Tracked Since Jun 20, 2026