CVE-2026-56330
Severity CVSS v4.0:
MEDIUM
Type:
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
20/06/2026
Last modified:
23/06/2026
Description
Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.
Impact
Base Score 4.0
4.80
Severity 4.0
MEDIUM
Base Score 3.x
3.50
Severity 3.x
LOW



