Home

Description

Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files.

PUBLISHED Reserved 2026-06-20 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status
unaffected

Any version before 12.128.2
affected

12.128.2 (semver)
unaffected

References

github.com/.../capgo/security/advisories/GHSA-62jm-xp28-x4xw (GitHub Security Advisory (GHSA-62jm-xp28-x4xw)) vendor-advisory

www.vulncheck.com/...xposure-in-app-information-image-upload (VulnCheck Advisory: Capgo - EXIF Metadata Exposure in App Information Image Upload) third-party-advisory

cve.org (CVE-2026-56298)

nvd.nist.gov (CVE-2026-56298)

Download JSON