Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-56298— Capgo - EXIF Metadata Exposure in App Information Image Upload

CVSS 4.3 · Medium EPSS 0.19% · P8

Possible ATT&CK Techniques 1AI

T1005 · Data from Local System

Affected Version Matrix 2

VendorProductVersion RangeStatus
CapgoCapgo< 12.128.2affected
12.128.2unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-56298

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Capgo - EXIF Metadata Exposure in App Information Image Upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app information endpoint, exposing sensitive geolocation data. Attackers can upload images containing EXIF metadata to extract geographic location information and other embedded metadata from uploaded files.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Capgo 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Capgo是CAPGO公司的一个专为CapacitorJS开发者打造的移动应用开发和更新平台。 Capgo 12.128.2版本之前存在日志信息泄露漏洞,该漏洞源于无法从通过应用信息端点上传的图像中剥离EXIF元数据,可能导致攻击者上传包含EXIF元数据的图像以提取地理位置信息和其他嵌入元数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
CapgoCapgo 0 ~ 12.128.2 -

II. Public POCs for CVE-2026-56298

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-56298

登录查看更多情报信息。

Vendor Advisories for CVE-2026-56298 (1)

Other References for CVE-2026-56298 (1)

Same Patch Batch · Capgo · 2026-07-08 · 7 CVEs total

CVE-2026-562468.1 HIGHCapgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance
CVE-2026-562507.5 HIGHCapgo - Arbitrary R2 Object Deletion via Mutable r2_path in app_versions
CVE-2026-562206.5 MEDIUMCapgo - Unauthorized Manifest Insertion via Read-Only Org Member
CVE-2026-562835.4 MEDIUMCapgo - HTML Injection Leading to Open Redirection in Organization Settings
CVE-2026-562935.4 MEDIUMCapgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in tra
CVE-2026-562174.3 MEDIUMCapgo - Encrypted Bundle Policy Bypass via Direct PostgREST Update

IV. Related Vulnerabilities

V. Comments for CVE-2026-56298

No comments yet


Leave a comment