CVE Catalog

CVE-2026-56332

MediumCVSS 4.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.

Risk Assessment

This vulnerability poses a risk to users who may be tricked into being redirected to fraudulent sites, leading to the theft of personal and credential data. Organizations may suffer financial and reputational losses as a result of such attacks.

Recommendation

It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing further URL parameter validation mechanisms in the application is advisable.

Original NVD description (English source)

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS