CVE-2026-56325

LOW 3.1

Capgo - App ID Confusion via ILIKE Wildcard in Preview Subdomain Lookup

CVSS Score

3.1

EPSS Score

0.0%

EPSS Percentile

0th

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion.

CWE	CWE-20
Vendor	capgo
Product	capgo
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for capgo capgo

Be the first to know when new low vulnerabilities affecting capgo capgo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Affected Versions

Capgo / Capgo

0 < 12.128.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Cap-go/capgo/security/advisories/GHSA-cw88-ch2j-8vqj vulncheck.com: https://www.vulncheck.com/advisories/capgo-app-id-confusion-via-ilike-wildcard-in-preview-subdomain-lookup

Credits

🔍 Judel777