CyberSec.Space Logo
返回 CVE 浏览器

CVE-2026-56215

HIGH
8.3
CVSS Severity Score
EPSS Score0.0690%
EPSS Percentile30.56th
Published2026年6月20日
Last Modified2026年6月20日

Vulnerability Description

Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can pre-position their account with a victim's corporate SSO email, causing the provision-user endpoint to merge the victim's SSO identity into the attacker-controlled account.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://github.com/Cap-go/capgo/security/advisories/GHSA-wqc6-fhwf-qpww
🔗 https://www.vulncheck.com/advisories/capgo-account-merge-via-poisoned-public-users-email-in-sso-provisioning

相关漏洞威胁

CVE-2026-4714010.0

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as mo...

CVE-2026-1052010.0

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenti...

CVE-2026-4713710.0

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced...

CVE-2026-4720810.0

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This all...