CVE-2026-56330

Severity CVSS v4.0:
MEDIUM
Type:
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Publication date:
20/06/2026
Last modified:
23/06/2026

Description

Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for phishing and credential harvesting.