CVE-2026-56309 in Capgo
Resumen
por MITRE • 2026-07-10
Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bundle metadata, and survive app deletion, enabling storage and bandwidth abuse.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.