Capgo before 12.128.2 allows email address changes...
High severity
Unreviewed
Published
Jul 12, 2026
to the GitHub Advisory Database
•
Updated Jul 12, 2026
Description
Published by the National Vulnerability Database
Jul 12, 2026
Published to the GitHub Advisory Database
Jul 12, 2026
Last updated
Jul 12, 2026
Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.
References