CVE-2026-56329: Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing.
Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview misrouting and denial of preview access for victim applications.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-56329
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-56329 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for Capgo
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-56335: Capgo before 12.128.2 contains an authorization bypass vulnerability where write-scoped API ke…nvd · 2026-07-10
- mediumCVE-2026-56312: Capgo before 12.128.2 contains an improper validation vulnerability in the accept_invitation e…nvd · 2026-07-10
- mediumCVE-2026-56309: Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachment…nvd · 2026-07-10
- highCVE-2026-56305: Capgo before 12.128.2 contains an authentication bypass vulnerability in the password change e…nvd · 2026-07-10
- highCVE-2026-56279: Capgo before 12.128.2 contains an information disclosure vulnerability in the get_orgs_v7(user…nvd · 2026-07-10
- mediumCVE-2026-56298: Capgo before 12.128.2 fails to strip EXIF metadata from images uploaded via the app informatio…nvd · 2026-07-08
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11