CVE-2026-56221

Received Received - Intake

SQL Injection in Cap-go Cloudflare Integration

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: VulnCheck

Description

Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters to access analytics data belonging to other users or applications.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-22

Last Modified

2026-06-22

Generated

2026-06-23

AI Q&A

2026-06-23

EPSS Evaluated

N/A

NVD

CVE-2026-56221

Affected Vendors & Products

Vendor	Product	Version / Range
cap-go	cap-go	12.128.2

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Cap-go versions before 12.128.2 and involves multiple SQL injection flaws in the cloudflare.ts component. Specifically, user-controlled values from API request bodies are directly inserted into SQL query strings without proper sanitization or parameterization.

Authenticated users with read-level API key permissions can exploit this by injecting arbitrary SQL through parameters such as deviceIds, search, version_name, cursor, and actions.

This allows them to access analytics data that belongs to other users or applications, which they should not normally be able to see.

Impact Analysis

The vulnerability can lead to unauthorized access to sensitive analytics data belonging to other users or applications.

Since attackers can inject arbitrary SQL, they might retrieve confidential information, potentially leading to data breaches.

This could compromise privacy and trust, and may also expose the affected system to further attacks if exploited.

Hi! I’m here to help you understand CVE-2026-56221. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-56221

SQL Injection in Cap-go Cloudflare Integration

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart