CVE-2026-56255

MEDIUM 4.3

Capgo - Denial of Service via Unlimited Demo App Creation

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate approximately 138 database write operations per request, causing degraded performance, increased costs, and potential service instability.

CWE	CWE-770
Vendor	capgo
Product	capgo
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for capgo capgo

Be the first to know when new medium vulnerabilities affecting capgo capgo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

Capgo / Capgo

0 < 12.128.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cap-go/capgo/security/advisories/GHSA-q2xx-6h9x-43fw vulncheck.com: https://www.vulncheck.com/advisories/capgo-denial-of-service-via-unlimited-demo-app-creation

Credits

🔍 Judel777