CVE-2026-53867 | THREATINT

Description

Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-12 | Updated 2026-06-16 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Incomplete Cleanup

Product status

Default status

unaffected

Any version before 12.128.2

affected

12.128.2 (semver)

unaffected

Credits

Naitik Gupta reporter

References

github.com/.../capgo/security/advisories/GHSA-8p92-wcp2-c9j4 (GHSA Advisory GHSA-8p92-wcp2-c9j4) vendor-advisory

www.vulncheck.com/...retention-via-profile-image-replacement (VulnCheck Advisory: Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement) third-party-advisory

cve.org (CVE-2026-53867)

nvd.nist.gov (CVE-2026-53867)

Download JSON