CVE-2026-53867

MEDIUM NVD

CVSS Score 4.3

Severity MEDIUM

Published Jun 12, 2026

Vendor unknown

Description

Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-8p92-wcp2-c9j4
https://www.vulncheck.com/advisories/capgo-orphaned-file-retention-via-profile-image-replacement