CVE-2026-56309 in Capgoinformación

Resumen

por MITRE • 2026-07-10

Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bundle metadata, and survive app deletion, enabling storage and bandwidth abuse.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsable

VulnCheck

Reservar

2026-06-20

Divulgación

2026-07-10

Moderación

aceptado

Artículo

VDB-377488

CPE

listo

EPSS

0.00259

KEV

no

Actividades

muy bajo

Fuentes

Want to stay up to date on a daily basis?

Enable the mail alert feature now!