CVE Catalog

CVE-2026-56227

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, leading to outbound requests to these addresses.

Risk Assessment

Exploitation of this vulnerability may lead to error information being disclosed to users, potentially exposing the organization to attacks and data leaks.

Recommendation

It is recommended to update Capgo to version 12.128.2 or later and review webhook configurations to avoid pointing to local addresses.

Original NVD description (English source)

Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these addresses with error responses disclosed to users.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS