GHSA-pw45-xmrx-x2w8LowCVSS 3.1

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in...

Published
June 20, 2026
Last Modified
June 20, 2026

🔗 CVE IDs covered (1)

📋 Description

Capgo before 12.128.2 uses ILIKE pattern matching instead of exact matching for app_id lookup in the preview subdomain resolver, allowing underscore characters in app_id to act as SQL wildcards. Attackers can create apps with app_ids differing by one character at underscore positions to cause unintended pattern matches, breaking preview functionality for legitimate apps or causing app-id confusion.

🔗 References (4)