PT-2026-54024 · Cap Go · Cap-Go

Hunt-With-4Bh1

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-56233

CVSS v3.1

8.3

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER API KEY header and resulting in server-side privilege escalation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56233

Affected Products

Cap-Go