Naitik Gupta

**Name of the Vulnerable Software and Affected Versions** Cap-go versions prior to 12.128.2 **Description** An account takeover issue exists in the email change mechanism. An attacker with temporary authenticated session access can change the registered email address without requiring re-authentication, such as a password or Multi-Factor Authentication (MFA) verification. This allows the attacker to redirect verification to an email address under their control and subsequently perform a password reset to gain permanent control of the victim's account. **Recommendations** Update to version 12.128.2 or later.

**Name of the Vulnerable Software and Affected Versions** Capgo Console versions prior to 12.28.2 **Description** A denial-of-service issue exists in the account deletion flow. An attacker can block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, which causes the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device. **Recommendations** Update to version 12.28.2 or later.

**Name of the Vulnerable Software and Affected Versions** Capgo versions prior to 12.128.2 **Description** The software fails to delete previously uploaded profile images from backend storage when users replace or remove them. This results in orphaned image files that can be accessed by attackers through previously generated URLs, leading to the unauthorized retrieval of user-uploaded content. **Recommendations** Update to version 12.128.2.

**Name of the Vulnerable Software and Affected Versions** Capgo versions prior to 12.128.2 **Description** A denial of service issue exists where attackers can register accounts using arbitrary email addresses without verification. By initiating the deletion process for these accounts, attackers can lock those email addresses in a pending deletion state. This allows attackers to permanently prevent legitimate users from accessing the platform for 30 days by exploiting unverified email ownership during account lifecycle operations. **Recommendations** Update to version 12.128.2.