CVE-2026-56330
Published
CVSS v3
3.5
LOW
CVSS v2
N/A
Affected
1
PROJECT
Description
Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.
Console, Backend and CLI to manage Capgo Instant update and Native build for Capacitor apps
GitHub