CVE-2026-56332

Description

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.

References

• https://github.com/Cap-go/capgo/security/advisories/GHSA-24q8-ghqq-m8cj
• https://www.vulncheck.com/advisories/capgo-open-redirect-via-confirmation-url-parameter