Skip to main content

Capacitor Updater

1 CVEs product

Monthly

CVE-2026-56254 HIGH PATCH This Week

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. Reported by VulnCheck with a CVSS 4.0 base score of 8.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Capacitor Updater
NVD GitHub
CVSS 4.0
8.3
EPSS
0.2%
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Update-signing bypass in @capgo/capacitor-updater (capgo OTA plugin for Capacitor apps) before 12.128.2 undermines its end-to-end encryption by shipping the same private key to every device that downloads the app. Because the public verification key can be derived from that distributed private key, an attacker with a man-in-the-middle position or control of the Capgo delivery server can forge a validly signed update bundle and push attacker-controlled code to devices. Reported by VulnCheck with a CVSS 4.0 base score of 8.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Capacitor Updater
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy