CVE-2026-56218

Severity CVSS v4.0:
MEDIUM
Type:
CWE-200 Information Leak / Disclosure
Publication date:
20/06/2026
Last modified:
23/06/2026

Description

Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.