← back
CVE-2026-53867

Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement

CVSS 5.3 MEDIUMEPSS 0.2%CWE-459
Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
Capgo · Capgo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/Cap-go/capgo/security/advisories/GHSA-8p92-wcp2-c9j4https://www.vulncheck.com/advisories/capgo-orphaned-file-retention-via-profile-image-replacement