CVE-2026-56325
Severity CVSS v4.0:
LOW
Type:
CWE-20
Input Validation
Publication date:
20/06/2026
Last modified:
22/06/2026
Description
Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion.
Impact
Base Score 4.0
2.30
Severity 4.0
LOW
Base Score 3.x
3.10
Severity 3.x
LOW



