CVE-2026-53867— Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-53867
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement
Source: NVD (National Vulnerability Database)
Vulnerability Description
Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
清理环节不完整
Source: NVD (National Vulnerability Database)
Vulnerability Title
Capgo 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Capgo是CAPGO公司的一个专为CapacitorJS开发者打造的移动应用开发和更新平台。 Capgo 12.128.2之前版本存在安全漏洞,该漏洞源于用户替换或删除个人资料图片后未从后端存储中删除之前上传的文件,攻击者可以通过之前生成的URL访问孤立图像文件,导致未经授权检索用户上传内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-53867
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-53867
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-53867 (2)
IV. Related Vulnerabilities
Same product: Capgo
- CVE-2026-56216
Capgo - Scope Escalation via API Key Creation in /functions/ - CVE-2026-56214
Capgo - Unauthenticated Organization Enumeration and Billing - CVE-2026-56215
Capgo - Account Merge via Poisoned public.users.email in SSO - CVE-2026-56213
Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via u - CVE-2026-56212
Capgo - Improper 2FA Enforcement Logic via Team Security Set
Same vendor: Capgo
- CVE-2026-56216
Capgo - Scope Escalation via API Key Creation in /functions/ - CVE-2026-56214
Capgo - Unauthenticated Organization Enumeration and Billing - CVE-2026-56215
Capgo - Account Merge via Poisoned public.users.email in SSO - CVE-2026-56213
Capgo - Unauthenticated Cross-Tenant Metrics Poisoning via u - CVE-2026-56212
Capgo - Improper 2FA Enforcement Logic via Team Security Set
Same weakness: CWE-459
- CVE-2026-5038
multer vulnerable to Denial of Service via incomplete cleanu - CVE-2026-33232
AutoGPT: Unauthenticated DoS via Disk Space Exhaustion - CVE-2026-0427
AMD多款产品 安全漏洞 - CVE-2026-34263
Missing authentication check in SAP Commerce cloud configura - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
V. Comments for CVE-2026-53867
No comments yet