CVE-2026-56332
MediumCVSS 4.7Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.
Risk Assessment
This vulnerability poses a risk to users who may be tricked into being redirected to fraudulent sites, leading to the theft of personal and credential data. Organizations may suffer financial and reputational losses as a result of such attacks.
Recommendation
It is recommended to upgrade to Capgo version 12.128.2 or later to mitigate this vulnerability. Additionally, implementing further URL parameter validation mechanisms in the application is advisable.
Original NVD description (English source)
Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websites. The confirmation_url parameter is not validated, enabling attackers to craft malicious links for phishing and credential harvesting attacks.

