Cap-go capgo up to 12.128.1 cleanup

Summaryinfo

A vulnerability classified as problematic has been found in Cap-go capgo up to 12.128.1. This impacts an unknown function. The manipulation leads to cleanup. This vulnerability is referenced as CVE-2026-53867. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as problematic, has been found in Cap-go capgo up to 12.128.1. This issue affects some unknown processing. The manipulation with an unknown input leads to a cleanup vulnerability. Using CWE to declare the problem leads to CWE-459. The product does not properly "clean up" and remove temporary or supporting resources after they have been used. Impacted is confidentiality. The summary by CVE is:

Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-53867 since 06/10/2026. The exploitation is known to be easy. The attack may be initiated remotely. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 12.128.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-36628). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• Cap-go

Name

• capgo

Version

• 12.128.0
• 12.128.1

Website

• Product: https://github.com/Cap-go/capgo/

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion