HIGH
capacitor-updater
CVE published 2026-07-10
CVE-2026-56254
The @capgo/capacitor-updater package before version 12.128.2 has a vulnerability in its end-to-end encryption scheme. The private key is distributed to each device that downloads the app, allowing an attacker performing a man-in-the-middle attack or compromising the Capgo server to create a validly signed update bundle and cause devices to install an update not produced by the original app maker. This vul [truncated]