PatchSiren

capacitor-updater CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH capacitor-updater CVE published 2026-07-10

CVE-2026-56254

The @capgo/capacitor-updater package before version 12.128.2 has a vulnerability in its end-to-end encryption scheme. The private key is distributed to each device that downloads the app, allowing an attacker performing a man-in-the-middle attack or compromising the Capgo server to create a validly signed update bundle and cause devices to install an update not produced by the original app maker. This vul [truncated]