CVE-2026-56329
MEDIUM Exploitation: PoC
6.4
CVSS 3.1
Description
Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview misrouting and denial of preview access for victim applications.
Metadata
Severity & Metrics
6.4
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
SSVC — CISA Coordinator
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Capgo | Capgo | — | 0 < 12.128.2, 12.128.2 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-436 | cna | Interpretation Conflict |
CVSS scores (2)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.4 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L |
| 5.3 | MEDIUM | 4.0 | cna | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L |
References (2)
- GitHub Security Advisory (GHSA-76qq-gg2p-pwwj) https://github.com/Cap-go/capgo/security/advisories/GHSA-76qq-gg2p-pwwj
- VulnCheck Advisory: Capgo - Cross-Tenant Preview Namespace Collision via Non-Bijective Underscore Decoding https://www.vulncheck.com/advisories/capgo-cross-tenant-preview-namespace-collision-via-non-bijective-underscore-decoding