CVE-2026-56309 in Capgo
الملخص
بحسب MITRE • 10/07/2026
Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bundle metadata, and survive app deletion, enabling storage and bandwidth abuse.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.