CVE-2026-56218
Received Received - Intake
Capgo Image EXIF Metadata Disclosure Vulnerability

Publication date: 2026-06-20

Last updated on: 2026-06-20

Assigner: VulnCheck

Description
Capgo before 12.128.2 fails to strip EXIF metadata including GPS geolocation data from uploaded images, allowing information disclosure. Attackers can download uploaded images and extract precise latitude and longitude coordinates revealing user physical location at capture time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-20
Last Modified
2026-06-20
Generated
2026-06-20
AI Q&A
2026-06-20
EPSS Evaluated
N/A
NVD
CVE-2026-56218
EUVD
EUVD-2026-38114
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capgo capgo to 12.128.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56218 is a vulnerability in the Capgo application versions before 12.128.2 where uploaded images retain EXIF metadata, including GPS geolocation data.

This metadata is not stripped or sanitized before the images are stored or served publicly, allowing attackers or unauthorized users to download these images and extract precise latitude and longitude coordinates.

As a result, the physical location of the user at the time the image was captured can be revealed.

Impact Analysis

This vulnerability can lead to significant privacy risks by exposing sensitive GPS geolocation data embedded in images.

  • Attackers can determine the precise physical location of users when images were taken.
  • It can result in user privacy violations.
  • It may enable targeted attacks based on the disclosed location information.
Compliance Impact

The vulnerability raises compliance concerns under privacy regulations such as GDPR and DPDP because it involves unauthorized disclosure of sensitive personal data, specifically geolocation information.

Failing to strip EXIF metadata including GPS data from images can lead to violations of data protection requirements related to user consent, data minimization, and safeguarding personal information.

Detection Guidance

This vulnerability can be detected by checking if uploaded images on your system or network retain EXIF metadata, especially GPS geolocation data. You can download or access uploaded images and analyze their metadata to see if sensitive information like latitude and longitude coordinates are present.

Common commands to inspect EXIF metadata include using tools such as 'exiftool' or 'identify' (from ImageMagick). For example:

  • exiftool image.jpg
  • identify -verbose image.jpg | grep -i exif

If these commands reveal GPS or other EXIF metadata in uploaded images, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include implementing server-side sanitization to strip all EXIF metadata, particularly GPS geolocation data, from images upon upload.

You should use image processing libraries or tools to automatically remove EXIF metadata before storing or serving images publicly.

Additionally, reprocess existing uploaded images to remove any sensitive metadata that may already be stored.

Upgrading Capgo to version 12.128.2 or later, where this issue is fixed, is also strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart