CVE-2026-56330
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters.
Risk Assessment
The risk to the organization is that authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.
Recommendation
It is recommended to update Capgo to version 12.128.2 or later and implement validation of URL parameters in the endpoints.
Original NVD description (English source)
Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.

