CVE-2026-53867
4.3 MEDIUMCapgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them
Published: 2026-06-12 · Last updated: 2026-06-15
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-459
Description
Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-5038 — Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage (5.3 MEDIUM)
- CVE-2026-33232 — AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents (7.5 HIGH)
- CVE-2026-43395 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe... (5.5 MEDIUM)