CVE Catalog

CVE-2026-56221

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

Cap-go before version 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters.

Risk Assessment

This vulnerability allows authenticated users to access analytics data belonging to other users or applications, potentially leading to serious privacy and data security breaches.

Recommendation

It is recommended to upgrade to Cap-go version 12.128.2 or later and implement appropriate sanitization and parameterization mechanisms for SQL queries.

Original NVD description (English source)

Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters to access analytics data belonging to other users or applications.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS