CVE-2026-56221— Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-56221
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts
Source: NVD (National Vulnerability Database)
Vulnerability Description
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary SQL through deviceIds, search, version_name, cursor, and actions parameters to access analytics data belonging to other users or applications.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-56221
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-56221
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-56221 (1)
Other References for CVE-2026-56221 (1)
IV. Related Vulnerabilities
Same product: capgo
- CVE-2026-56338
Capgo - Denial of Service in 2FA Email Verification via /aut - CVE-2026-56337
Capgo - Information Disclosure via Unauthenticated RPC Funct - CVE-2026-56310
Cap-go - Authorization Bypass in Organization Members Endpoi - CVE-2026-56302
Capgo - Unsecured Supabase Images Bucket via Missing Row Lev - CVE-2026-56257
Capgo - Authorization Bypass in App Ownership Transfer via D
Same vendor: Cap-go
- CVE-2026-56310
Cap-go - Authorization Bypass in Organization Members Endpoi - CVE-2026-56245
Supabase Capgo - Unauthenticated Cross-Tenant Build-Time Acc - CVE-2026-56248
Capgo - Unauthenticated Denial-of-Service via audit_logs RLS - CVE-2026-56280
Cap-go - Privilege Inversion in Build Log Stream via SSE Dis - CVE-2026-56316
Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /b
Same weakness: CWE-89
- CVE-2026-57667
WordPress Groundhogg plugin <= 4.5 - SQL Injection vulnerabi - CVE-2026-57663
WordPress Recipe Maker For Your Food Blog from Zip Recipes p - CVE-2026-57662
WordPress Contest Gallery plugin <= 30.0.0 - SQL Injection v - CVE-2026-57653
WordPress WP Job Portal plugin <= 2.5.2 - SQL Injection vuln - CVE-2026-57644
WordPress Restaurant Menu by MotoPress plugin <= 2.4.10 - SQ
V. Comments for CVE-2026-56221
No comments yet