Capgo < 12.128.2 - Orphaned File Retention via Profile Image...

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.

Basic Information

ID CVE-2026-53867

Source VulnCheck

Published Jun 12, 2026 at 21:57

Affected Product

Vendor Cap-go

Product capgo

Affected Versions Cap-go capgo 0

CWE Classification

CWE-459

References

{
    "lastseen": "",
    "description": "Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.",
    "published": "2026-06-12T21:57:02.653Z",
    "modified": "2026-06-12T21:57:02.653Z",
    "type": "cve",
    "title": "Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement",
    "source": "VulnCheck",
    "references": "https://github.com/Cap-go/capgo/security/advisories/GHSA-8p92-wcp2-c9j4\nhttps://www.vulncheck.com/advisories/capgo-orphaned-file-retention-via-profile-image-replacement",
    "id": "CVE-2026-53867",
    "bulletinFamily": "",
    "cwe": [
        "CWE-459"
    ],
    "cvelist": null,
    "sourceData": "Cap-go capgo 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "capgo",
    "version": "0",
    "vendor": "Cap-go",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement_CVE-2026-53867