Capgo before 12.128.2 contains a cross-tenant preview...
Moderate severity
Unreviewed
Published
Jul 10, 2026
to the GitHub Advisory Database
•
Updated Jul 10, 2026
Description
Published by the National Vulnerability Database
Jul 10, 2026
Published to the GitHub Advisory Database
Jul 10, 2026
Last updated
Jul 10, 2026
Capgo before 12.128.2 contains a cross-tenant preview namespace collision vulnerability caused by non-bijective decoding of double underscores to dots in preview hostname parsing. Attackers can register app IDs with underscores that collide with other tenants' dotted app IDs, causing preview misrouting and denial of preview access for victim applications.
References