CVE-2026-56298 PUBLISHED

Capgo - EXIF Metadata Exposure in App Information Image Upload

Assigner: VulnCheck
Reserved: 20.06.2026 Published: 08.07.2026 Updated: 08.07.2026

Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Product Status

Vendor Capgo
Product Capgo
Versions Default: unaffected
  • affected from 0 to 12.128.2 (excl.)
  • Version 12.128.2 is unaffected

References

Problem Types

  • Exposure of Sensitive Information to an Unauthorized Actor CWE