Description
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
Published: 2026-06-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo before version 12.128.2 does not remove EXIF metadata – including GPS coordinates – when images are uploaded. This flaw allows an attacker who can retrieve uploaded images to obtain precise latitude and longitude values that identify where a user was at the time the photo was taken, violating privacy and potentially enabling targeted attacks.

Affected Systems

The affected product is Capgo, any instance running a version earlier than 12.128.2. No specific subcomponents are listed, so all application deployments that allow image uploads fall under this risk.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. EPSS information is not available and the vulnerability is not in CISA’s KEV catalog. Exploitation requires that an attacker can upload or otherwise obtain access to image files stored by Capgo. Given the public nature of the upload feature, the attack vector is likely remote and does not require privileged access to the system. The attacker can download the images and parse the embedded EXIF data to reveal the user's location.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Capgo to version 12.128.2 or later, where EXIF data stripping is implemented.
  • Configure the application or underlying storage layer to remove all EXIF metadata immediately after image upload.
  • Restrict download or share permissions for uploaded images to authenticated and authorized users only.

Generated by OpenCVE AI on June 20, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
Title Capgo - EXIF Metadata Exposure via Image Upload
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:40.553Z

Reserved: 2026-06-19T21:43:24.737Z

Link: CVE-2026-56218

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor