CVE-2026-56227
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, leading to outbound requests to these addresses.
Risk Assessment
Exploitation of this vulnerability may lead to error information being disclosed to users, potentially exposing the organization to attacks and data leaks.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later and review webhook configurations to avoid pointing to local addresses.
Original NVD description (English source)
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.

