CVE-2026-56218
Severity CVSS v4.0:
MEDIUM
Type:
CWE-200
Information Leak / Disclosure
Publication date:
20/06/2026
Last modified:
23/06/2026
Description
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
5.30
Severity 3.x
MEDIUM



