CVE-2026-56227 | Capgo before 12.128.2 contains a server-side request forgery… | CVSS 5.4 MEDIUM

Description

Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.

Metadata

CVE ID: CVE-2026-56227
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-19 21:46 UTC
Published: 2026-06-20 15:24 UTC
Last updated: 2026-06-20 15:24 UTC
Primary CWE: CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product: Capgo / Capgo
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
Capgo	Capgo	—	0 < 12.128.2, 12.128.2

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	Server-Side Request Forgery (SSRF)

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L

References (2)

GHSA Advisory GHSA-48hc-53hv-6x3f https://github.com/Cap-go/capgo/security/advisories/GHSA-48hc-53hv-6x3f
VulnCheck Advisory: Capgo - Server-Side Request Forgery via Webhook URL Validation https://www.vulncheck.com/advisories/capgo-server-side-request-forgery-via-webhook-url-validation