Description
Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.
Published: 2026-06-20
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Capgo applications prior to version 12.128.2 contain a CWE-601 open redirect flaw in the stripe_portal and stripe_checkout endpoints. The endpoints accept callbackUrl, successUrl, and cancelUrl parameters without validating them, allowing an attacker to craft billing URLs that redirect users to malicious domains. This vulnerability enables phishing attacks and credential harvesting by luring users to attacker‑controlled sites.

Affected Systems

The affected product is Capgo. Any installation running a version earlier than 12.128.2 is vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, but the exploitability is limited to authenticated users who have permission to generate billing URLs. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not been reported as a known exploited vulnerability. Nevertheless, the potential for phishing and credential theft warrants proactive mitigation.

Generated by OpenCVE AI on June 20, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Capgo version 12.128.2 or later, which fixes the open redirect flaw in stripe_portal and stripe_checkout.
  • Configure the application to validate or whitelist callbackUrl, successUrl, and cancelUrl parameters so that only trusted domains are accepted.
  • Enforce strict access controls on billing URL generation, ensuring that only authorized users can create or modify redirect URLs.

Generated by OpenCVE AI on June 20, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.
Title Capgo - Open Redirect via Unvalidated Stripe Billing URLs
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:48.818Z

Reserved: 2026-06-20T13:06:29.994Z

Link: CVE-2026-56330

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T18:00:09Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')