Back to overview

CVE-2026-56329

MEDIUM Exploitation: PoC
6.4
CVSS 3.1
Description
Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview misrouting and denial of preview access for victim applications.

Metadata

CVE ID
CVE-2026-56329
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-20 13:06 UTC
Published
2026-07-10 13:57 UTC
Last updated
2026-07-10 15:45 UTC
Primary CWE
CWE-436
Interpretation Conflict
Vendor / Product
Capgo / Capgo
Sources
cve.org  ·  NVD

Severity & Metrics

6.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Capgo Capgo 0 < 12.128.2, 12.128.2
Weakness (CWE)
CWESourceDescription
CWE-436 cna Interpretation Conflict
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L
References (2)
Back to overview