Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement
CVE-2026-53867

5.3MEDIUM

Key Information:

Vendor: Cap-go
Status: Capgo
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-53867?

Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content.

Affected Version(s)

capgo 0 < 12.128.2

capgo 12.128.2

References

https://github.com/Cap-go/capgo/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/capgo-orphaned-file-...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Jun 10, 2026

Credit

Naitik Gupta

CVE-2026-53867 Data

JSON