3 matches found
CVE-2026-56244
Capgo before 12.128.2 allows non-admin API keys to read webhook signing secrets via Supabase REST due to insufficient row-level security policies on the webhooks table. Attackers can retrieve the webhook secret and forge valid X-Capgo-Signature headers to send authenticated webhook events to...
CVE-2026-56227
Capgo before 12.128.2 contains a server-side request forgery vulnerability in webhook URL validation that allows loopback and internal addresses. Organization admins can configure webhooks pointing to localhost or 127.0.0.1, and when triggered, the backend performs outbound requests to these...
PT-2026-49044
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description The software fails to delete previously uploaded profile images from backend storage when users replace or remove them. This results in orphaned image files that can be accessed by attackers through...