CVE-2026-56218 | Capgo before 12.128.2 fails to strip EXIF metadata including… | CVSS 5.3 MEDIUM

Description

Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.

Metadata

CVE ID: CVE-2026-56218
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-19 21:43 UTC
Published: 2026-06-20 15:24 UTC
Last updated: 2026-06-20 15:24 UTC
Primary CWE: CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-200	cna	Exposure of Sensitive Information to an Unauthorized Actor

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (2)

GHSA Advisory GHSA-c5w9-886p-9j2x https://github.com/Cap-go/capgo/security/advisories/GHSA-c5w9-886p-9j2x
VulnCheck Advisory: Capgo - EXIF Metadata Exposure via Image Upload https://www.vulncheck.com/advisories/capgo-exif-metadata-exposure-via-image-upload