CVE-2026-56332

Description

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.

PUBLISHED Reserved 2026-06-20 | Published 2026-06-20 | Updated 2026-06-20 | Assigner VulnCheck

Problem types

URL Redirection to Untrusted Site ('Open Redirect')

Product status

Credits

muhnabil04 reporter

References

github.com/.../capgo/security/advisories/GHSA-24q8-ghqq-m8cj (GHSA Advisory GHSA-24q8-ghqq-m8cj) vendor-advisory

www.vulncheck.com/...redirect-via-confirmation-url-parameter (VulnCheck Advisory: Capgo - Open Redirect via confirmation_url Parameter) third-party-advisory

cve.org (CVE-2026-56332)

nvd.nist.gov (CVE-2026-56332)

Download JSON